topic Re: Query -> Data Center Best Practice Antivirus Profile in Advanced Threat Prevention Discussions

Query -> Data Center Best Practice Antivirus Profile

ash83 — Mon, 20 Aug 2018 13:49:38 GMT

Hi Community.

The below article states that "The Antivirus profile has decoders that detect and prevent viruses and malware from being transferred over six protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB":

https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-data-center/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-antivirus-profile

A bit further down in the same article, the following can be read: "The reason to attach the best practice Antivirus profile to all security policy rules that allow traffic is to block known malicious files (malware, ransomware bots, and viruses) as they attempt to enter the network. "

Why would AV be enabled for ALL security policies that allow traffic, if it only has decoders for 6 protocols?

For instance, why would AV be enabled for a security policy using app=FTP, if AV does not have a decoder for this app=FTP?

Thanks.

Re: Query -> Data Center Best Practice Antivirus Profile

mivaldi — Mon, 20 Aug 2018 18:28:26 GMT

AV enforcement is per-protocol, and WF signatures are also configured separately per-protocol in the Antivirus profile.

AV will process for Security Policies configured to use it.

Answering your question: "Why would AV be enabled for a security policy using app=FTP, if AV does not have a decoder for this app=FTP?" ... AV would not be enabled for FTP traffic matching the security policy if the associated AV profile is not set to enfoce AV signatures for the ftp protocol.

Re: Query -> Data Center Best Practice Antivirus Profile

ash83 — Tue, 21 Aug 2018 08:41:43 GMT

Thanks Mivaldi.

1) AV enforcement is per-protocol -> I assume this is only for the following 6 protocols, right? From the admin guide:

"The Antivirus profile has decoders that detect and prevent viruses and malware from being transferred over six protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB"

2) If the above is correct, what is the below parragraph referring to, if there are only 6 decoders for AV? Why does the admin guide state that AV should be enabled "to all security policy rules that allow traffic", if there are only decoders for HTTP, SMTP, IMAP, POP3, FTP, and SMB?:

"The reason to attach the best practice Antivirus profile to all security policy rules that allow traffic is to block known malicious files (malware, ransomware bots, and viruses) as they attempt to enter the network."

3) What would be the use case of enabling AV in a security policy for an app that is not HTTP, SMTP, IMAP, POP3, FTP, and SMB, if AV does not have a decoder for it?

Thanks.

Re: Query -> Data Center Best Practice Antivirus Profile

ash83 — Tue, 28 Aug 2018 08:46:32 GMT

Can anyone with experience on this assist with this query? Thanks.

Re: Query -> Data Center Best Practice Antivirus Profile

bvandivier — Tue, 28 Aug 2018 15:42:09 GMT

Ash83, we have the following Antivirus decoders (see picture below). If a security policy rule is not permitting http, smtp, imap, pop3, ftp, or smb traffic then there is no value in inspecting traffic using an Antivirus decoder. You've pretty much answered your own question. There is no harm in applying an AV Security Profile to a security policy rule that is not processing http, smtp, imap, pop3, ftp, or smb traffic as the decoder will never engage to inspect traffic if the traffic does not match one of these applications.

Re: Query -> Data Center Best Practice Antivirus Profile

ash83 — Tue, 04 Sep 2018 12:55:24 GMT

Thanks bvandivier 🙂

Think it would be useful to update the admin guide, from the current "AV should be enabled "to all security policy rules that allow traffic", to "AV should be enabled to all security policy rules that allow traffic for Apps: HTTP, SMTP, IMAP, POP3, FTP, and SMB"

Cheers.

Re: Query -> Data Center Best Practice Antivirus Profile

mivaldi — Tue, 04 Sep 2018 17:35:18 GMT

You are mixing up 'applications' with 'protocols'.

For example, we have multiple apps that are not named web-browsing, that use the HTTP protocol and for which we can provide AV scanning.

To give you an example, when you say "AV should be enabled to all security policy rules that allow traffic for Apps: HTTP, SMTP, IMAP, POP3, FTP, and SMB", you are saying that HTTP is an app, and that is incorrect. We do not have an http app, the app is web-browsing.

This mixup is common with customers as well. If we documented "AV should be enabled to all security policy rules that allow traffic which use decoders: HTTP, SMTP, IMAP, POP3, FTP, and SMB", then that would be accurate, but would create a lot of confussion. You would be asking customers to be able to know which apps use which decoders.

Re: Query -> Data Center Best Practice Antivirus Profile

ash83 — Thu, 06 Sep 2018 16:05:56 GMT

Thanks Mivaldi, great explanation.

I would personally prefer the admin guide to be as accurate as possible, to avoid any possible missunderstandings, and see the following sentence (as per your previous update): "AV should be enabled to all security policy rules that allow traffic which use decoders: HTTP, SMTP, IMAP, POP3, FTP, and SMB"

In order to complement that, and to have a complete picture, we (firewall admins) should ideally be also be able to see which decoder(s) is/are use per App. I do not think this is an option at the moment. I have not been able to find this information on applipedia. Is this information available somewhere else?

Thanks.