Wildfire content update schedule is not following best practices.-paloaltonetworks-panos

Wildfire content update schedule is not following best practices.-paloaltonetworks-panos
0

Wildfire content update schedule is not following best practices.-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert if the update schedule for Wildfire is not following best practices.

Remediation Steps:
Ensure update recurrence is set to “Every minute” AND update action is set to “download-and-install”.

How does this work?
This alert uses the Palo Alto Networks API interface to parse through Dynamic Update schedule and alert the admin if it is following best practices.

Why is this important?
Wildfire content update has the latest threat intelligence from cloud sandboxing sent to all the firewalls that have the wildfire subscriptions. Even before the threat gets widespread we can protect the networks with quick updates as early as next minute as soon as the verdict is finalized. Always make sure the action is set to “download-and-install” and recurrence for every 1 minute so the new content update takes effect. If there is no new WF signatures on the update server the firewall will just keep checking for updates every minute. Only when the content is available the next minute query would download the content update.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Device” -> “Dynamic Updates”.

panos-wf-update-schedule

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/panos-wf-update-schedule/panos-wf-update-schedule.ind.yaml

PanosWfUpdateScheduleRule

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.paloaltonetworks

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
/**
  *
  */
case class PanosWfUpdateScheduleRule() extends StateDownTemplateRule(
  ruleName = "PanosWfUpdateScheduleRule",
  ruleFriendlyName = "Palo Alto Networks Firewalls: Wildfire content update schedule is not following best practices.",
  ruleDescription = "Indeni will alert if the update schedule for Wildfire is not following best practices.",
  severity = AlertSeverity.WARN,
  metricName = "panos-wf-update-schedule",
  alertDescription = "Wildfire content provides the appliance with threat intelligence to facilitate accurate malware detection, improve appliance capability to differentiate malicious samples from benign samples, and ensure that the appliance has the most recent information needed to generate signatures.",
  baseRemediationText = "Ensure update recurrence is set to \"Every minute\" AND update action is set to \"download-and-install\".")()