One or more Vulnerability profile is not following best practices-paloaltonetworks-panos
Vendor: paloaltonetworks
OS: panos
Description:
Indeni will alert if the action for threat severity Low and Informational is not set at least as ‘default’, or if the threat severity is selected as ‘Any’ but the action field is not configured as ‘reset-both’.
Remediation Steps:
It is recommended to clone the predefined strict Vulnerability profile. For more information, please check <a target="_blank" href=“https://docs.paloaltonetworks.com/best-practices/8-1/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles”>Palo Alto Networks: Best Practices
How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured Vulnerability Protection profiles and check the configured action for Information and Low severity.
Why is this important?
In each Vulnerability protection profile we have the ability to select an action for different threat severity. In this case for threat severity Low and Informational we need to set the action as ‘default’ or ‘block’. Default ensure the action defined by the Pan OS is to be taken if a threat with this severity passes through the firewall that has this profile configured. The default action in most cases would be Alert, reset-both, allow etc. In an Vulnerability protection profile if the threat severity is selected as ‘Any’ then we should have the action configured as ‘reset-both’. It is a good practice to select specific threat severity and assign the action and not configure as ‘Any’. If ‘Any’ is selected it contains all severities Critical, High, medium, Low and Informational so it has to get the action ‘reset-both’ to block the severe threats. The check looks for the fields Host Type, Category, CVE and Severity and decides which Action best fits in the rule for the Vulnerability protection profile. Enable packet captures for the Vulnerability protection threats as it helps in investigation towards the root cause of the issue if false positives are noticed.
Without Indeni how would you find this?
Login to the device’s web interface and click on “Objects” -> “Security Profiles” -> “Vulnerability Protection” and check each profile manually.
panos-vulnerability-info-low-severity
name: panos-vulnerability-info-low-severity
description: Ensure action on Vulnerability threat signatures for Low and Informational
Severity is following best practices
type: monitoring
monitoring_interval: 60 minutes
requires:
vendor: paloaltonetworks
os.name: panos
product: firewall
comments:
vulnerability-info-low-severity:
why: |
In each Vulnerability protection profile we have the ability to select an action for different threat severity. In this case for threat severity Low and Informational we need to set the action as 'default' or 'block'.
Default ensure the action defined by the Pan OS is to be taken if a threat with this severity passes through the firewall that has this profile configured. The default action in most cases would be Alert, reset-both, allow etc.
In an Vulnerability protection profile if the threat severity is selected as 'Any' then we should have the action configured as 'reset-both'.
It is a good practice to select specific threat severity and assign the action and not configure as 'Any'. If 'Any' is selected it contains all severities Critical, High, medium, Low and Informational so it has to get the action 'reset-both' to block the severe threats.
The check looks for the fields Host Type, Category, CVE and Severity and decides which Action best fits in the rule for the Vulnerability protection profile. Enable packet captures for the Vulnerability protection threats as it helps in investigation towards the root cause of the issue if false positives are noticed.
how: |
This alert uses the Palo Alto Networks API interface to parse through the configured Vulnerability Protection profiles and check the configured action for Information and Low severity.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: HTTP
command: /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/*/profiles/vulnerability&key=${api-key}
parse:
type: XML
file: panos-vulnerability-info-low-severity.parser.1.xml.yaml
- run:
type: HTTP
command: /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/profiles/vulnerability/entry[@name='${profile}']&key=${api-key}
parse:
type: XML
file: panos-vulnerability-info-low-severity.parser.2.xml.yaml
PanosVulnerabilityInfoLowSevRule
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanosVulnerabilityInfoLowSevRule.scala