topic Re: Threat Prevention best practice ? in General Topics

Threat Prevention best practice ?

schmidt_th — Fri, 13 Feb 2015 08:26:54 GMT

Hi Commuity,

I'm looking for your tips and hints regarding TP best practices.

(hopefully this newbee question is not too bad :smileyconfused:)

Let me explain our setup:

As a first step to a new IT Security Infrastructure we are running a HA-pair of PA-3050 in an "IPS Mode" behind our current firewalls.

From configuration point of view it means that we have a set of virtual wires with "allow any / inspect all" rules.

The security profiles are currently copies of the "default" profiels for antivirus, anti-spyware and vulnerability protection.

Basically this works fine since we've started:

Only a few actions beside "alert" which had no impact on normal operations.

But what about the lots of "alerts"?

Do we need to reserch on each and every of them?

Shall we tune the rules?

Is the "default" setting still ok?

Or are you running more in "strict" mode?

Right now I'm a little bit confused. Which might be also related so some of the "not so perfect" AV and TP Updates of the last days.

Please help me to get out and to makes best use of our PAs.

Best Regrads

Thomas

Re: Threat Prevention best practice ?

pulukas — Sat, 14 Feb 2015 13:35:49 GMT

Welcome to PanOS. There is a good overview document on all the threat prevention features and standard deploys below. The general trade off between alert and block is the impact in your environment of false positives. Palo Alto is very conservative in terms of blocking potentially legitimate traffic and will set for an alert default. But as you see, these then require research to determine if this was a real threat or a false positive. Once you are confident they are not false positives you can migrate from alert to block and have less to research. You can make this determination signature by signature and build your own customized block to override each former alert. Likewise if you see the alerts are false you can change these signatures so that no alert is generated anymore for that signature.

Threat Prevention Deployment Tech Note

Re: Threat Prevention best practice ?

oklier — Mon, 16 Feb 2015 22:26:02 GMT

We have anything categorized as medium or higher to be blocked. We are looking at doing the same with low. I would not do Info since it will block legit requests.

Re: Threat Prevention best practice ?

schmidt_th — Thu, 19 Feb 2015 07:42:02 GMT

Hi Steven,

thank you for your warm welcome and especially for the link to the real good overview document.

By reading the document I've found that we've done a lot of things the right way - thanks to our consultant.

Additionally my understanding of the system has been improved with the document.

Nevertheless I guess that it needs even more experience with the system to feel real confident.

oklier has pointed out the interessting topic: How to move forward from the "default" setting without causing to much trouble for users and IT.

So more answers are appreciated. Maybe some other end users share their experience.

Best regards

Thomas

Re: Threat Prevention best practice ?

Dz3015 — Thu, 19 Feb 2015 16:46:19 GMT

Hello Thomas,

As per what Steven Puluka said, default protections are a good start. If you decided you want to be more strict in any area you will want to make sure you do a thorough analysis to make sure that you don't affect legitimate traffic. You could do this by running some custom reports on threats that are logging as alerts and then investigate that traffic and device that is being hit by those threats. If you have a specific threat you are concerned about that is not blocking, you can also report on that specific threat.