https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18394#M13423 <HTML><HEAD></HEAD><BODY><P>Hello Chris,</P><P></P><P>The "default-profile" contains all recommended settings on it.&nbsp; Hence, it is advisable to attach that profile with a deny policy. So, even if the packet is getting dropped <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>not matching with any existing policy), you will have more granular visibility of what type of traffic heading towards your firewall <SPAN class="GINGER_SOFTWARE_mark">i.e</SPAN> malicious, threat etc.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 28 Aug 2014 17:40:37 GMT HULK 2014-08-28T17:40:37Z https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18392#M13421 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>What does it mean to attach the "default antivirus profile" to a deny policy?&nbsp; Does that mean that traffic matching that rule will be both denied and scanned for viruses?&nbsp; (I have the same question for the other profiles too).</P><P></P><P>Thank you,</P><P></P><P>Chris</P></BODY></HTML> Thu, 28 Aug 2014 17:12:08 GMT https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18392#M13421 cstech 2014-08-28T17:12:08Z https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18393#M13422 <HTML><HEAD></HEAD><BODY><P>Hi Chris,</P><P></P><P>Lets say if "AV Profile" is in place with deny policy, than few/one packet will be matched to deny policy before last packet drop by policy and all those packets will be scanned for virus/vulnerability. Its safer.</P><P></P><P>However most likely 16 packets will be scanned for AV, because after that firewall will identify application and either allow or drop it.</P><P></P><P>Bottom line is its safer.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 28 Aug 2014 17:16:09 GMT https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18393#M13422 hshah 2014-08-28T17:16:09Z https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18394#M13423 <HTML><HEAD></HEAD><BODY><P>Hello Chris,</P><P></P><P>The "default-profile" contains all recommended settings on it.&nbsp; Hence, it is advisable to attach that profile with a deny policy. So, even if the packet is getting dropped <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>not matching with any existing policy), you will have more granular visibility of what type of traffic heading towards your firewall <SPAN class="GINGER_SOFTWARE_mark">i.e</SPAN> malicious, threat etc.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 28 Aug 2014 17:40:37 GMT https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18394#M13423 HULK 2014-08-28T17:40:37Z https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18395#M13424 <HTML><HEAD></HEAD><BODY><P>Hello Chris,</P><P></P><P>If you want to block traffic from zone A to zone B and you have configured the security rule to block this traffic, lets say the first packet comes from zone A, we do a route lookup and find the destination zone to be zone B. You will then do a policy lookup and see that there is a policy match. But since the action is set to "deny", the packet is dropped immediately. Firewall will only inspect the traffic if the policy it matched has action set to "allow". Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 28 Aug 2014 18:07:04 GMT https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18395#M13424 tshiv 2014-08-28T18:07:04Z https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18396#M13425 <HTML><HEAD></HEAD><BODY><P>Hi Tsiv,</P><P></P><P>Some times Deny is configured with application, Lets say facebook is blocked between Zone A to Zone B.</P><P></P><P>Now policy will alow atleast 16 packets to identify as a facebook and than drop it.</P><P></P><P>Now there are two scenarios.</P><P>1. No AV Profile : Then this 16 packets are not scanned.</P><P>2. With AV Profile : These 16 packets are scanned to check any threat.</P><P></P><P>Bottom line is its not always a plain drop.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 28 Aug 2014 18:10:28 GMT https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18396#M13425 hshah 2014-08-28T18:10:28Z https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18397#M13426 <HTML><HEAD></HEAD><BODY><P>Hello hshah,</P><P></P><P>Your understanding is not correct. Flow basic clearly shows that If the action associated with the policy is "deny", we won't even install the session for inspection to happen. We just record a discard log saying that the traffic is dropped.</P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 28 Aug 2014 18:25:34 GMT https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18397#M13426 tshiv 2014-08-28T18:25:34Z https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18398#M13427 <HTML><HEAD></HEAD><BODY><P>Hi Tshiv,</P><P></P><P>I think you are right, in that case there is no significance of profiles in deny rule.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 28 Aug 2014 18:27:00 GMT https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18398#M13427 hshah 2014-08-28T18:27:00Z https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18399#M13428 <HTML><HEAD></HEAD><BODY><P>Correcting My initial update:</P><P></P><P><SPAN class="GINGER_SOFTWARE_mark">Tshiv</SPAN> <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> is absolutely correct, once the packet with match with a "deny" policy on SLOW-PATH packet processing, PAN firewall will discard that packet immediately <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>before sending that packet for L-7 inspection). Hence, adding <SPAN class="GINGER_SOFTWARE_mark">a</SPAN> AV-profile will not make any sense. </P><P></P><P>Default deny policy is for logging all dropped packets on the firewall for more visibility, <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">what traffic heading towards your firewall </SPAN> <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>source IP, protocol, source-country <SPAN class="GINGER_SOFTWARE_mark">etc</SPAN>)</P><P></P><P>Thanks</P></BODY></HTML> Fri, 29 Aug 2014 21:19:52 GMT https://live.paloaltonetworks.com/t5/general-topics/default-antivirus-profiles-on-a-quot-deny-quot-policy/m-p/18399#M13428 HULK 2014-08-29T21:19:52Z