Content update schedule is not following best practices-paloaltonetworks-panos
Indeni will alert if the update schedule for Applications and Threats is not following best practices.
Ensure Apps and Threat are rightly configured for content update. For more details, please check this link: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates.
How does this work?
This alert uses the Palo Alto Networks API interface to parse through Dynamic Update schedule and alert the admin if it is following best practices.
Why is this important?
Security first customer: Should do hourly recurrence for download and install action and set threshold to less than 6 hours. Availability first customer: Should do daily recurrence for download and install action and set threshold in the range 24-48.
Without Indeni how would you find this?
Login to the device’s web interface and click on “Device” -> “Dynamic Updates”.
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/panos-content-update-schedule/panos-content-update-schedule.ind.yaml
// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead. package com.indeni.server.rules.library.templatebased.paloaltonetworks import com.indeni.server.rules.RuleContext import com.indeni.server.rules.library.templates.StateDownTemplateRule import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity /** * */ case class PanosContentUpdateScheduleRule() extends StateDownTemplateRule( ruleName = "PanosContentUpdateScheduleRule", ruleFriendlyName = "Palo Alto Networks Firewalls: Content update schedule is not following best practices", ruleDescription = "Indeni will alert if the update schedule for Applications and Threats is not following best practices.", severity = AlertSeverity.WARN, metricName = "content-update-schedule", alertDescription = "Applications and Threats content updates deliver the very latest application and threat signatures to the firewall. An organization with a security-first posture prioritizes protection using the latest threat signatures over application availability. You’re primarily using the firewall for its threat prevention capabilities. Any changes to App-ID that impact how security policy enforces application traffic is secondary. A mission-critical network prioritizes application availability over protection using the latest threat signatures. Your network has zero tolerance for downtime. The firewall is deployed inline to enforce security policy and if you’re using App-ID in security policy, any change a content releases introduces that affects App-ID could cause downtime.", baseRemediationText = "Ensure Apps and Threat are rightly configured for content update. For more details, please check this link: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates.")()