topic Re: When setting Strict Security Profile in General Topics

When setting Strict Security Profile

AdamCoombs — Fri, 01 Sep 2017 16:05:39 GMT

Good day everyone need help with verify some information about setting strict security profile.

We are wanting to set the all Security profile from default to strict to help contiune doing the best security practices recommend by palo alto. Also not wanting the logging in the threat montior to show traffic we already know is ok. So when we are monitoring threat logging it will only show issues we need to investigate.

After research seeing what will be affect by this change and know that you can add expections to so that strict profile setting should not stop the traffic from contiuning.

How do I verify that traffic is not being stop by the new strict security profile setting?

Thank you any help would be great

Re: When setting Strict Security Profile

Raido_Rattameister — Fri, 01 Sep 2017 17:45:52 GMT

Are you referring to limiting only specific applications or enabling threat prevention and looking for false positives?

Re: When setting Strict Security Profile

BPry — Fri, 01 Sep 2017 18:57:14 GMT

@AdamCoombs,

I think you're likely going to need to include a bit more information in what exactly you are looking to do. Are you talking about only allowing certain applications, upping your vulnerability profiles so that you specify actions other than default, tuning your Antivirus profile?

Re: When setting Strict Security Profile

AdamCoombs — Fri, 01 Sep 2017 20:51:20 GMT

Ok, here is the links from the palo alto

His one

https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb-id/Management-TKB/article-id/866

How to Add Exempt IP Addresses from the Threat Monitor Logs

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/create-best-practice-security-profiles

search for Vulnerability Protection

The goal is to when we see something that is critical and high for severity it does just alert it, it stops it by the strict profile settings.

Hope this help make more sense,

Re: When setting Strict Security Profile

OtakarKlier — Fri, 01 Sep 2017 21:45:20 GMT

Hello,

You should be able to accomplish this with a Vulnerability Protection Profile. Objects->Security Profiles-> Vulnerability Protection.

Here I have the polciies to block the offending IP for 1 hour.

Once this is completed you need to add the profile to a Security Polcies to it will take affect. What I usually do is Set all the security Profiles I need and then Bundle ithem into a Security Profile Group, then just apply the group to the security Policy.

Hope that helps!

Cheers.

Re: When setting Strict Security Profile

reaper — Mon, 04 Sep 2017 08:41:34 GMT

this maybe helpful in understanding (and optimizing) your security profiles:

(security profiles start at about 7:08)

Re: When setting Strict Security Profile

AdamCoombs — Tue, 05 Sep 2017 17:46:26 GMT

Sorry for the late reply

When you use policy that is blocking offending IP for a hour, can you still see the traffic in the Threat monitor logs ?

Re: When setting Strict Security Profile

OtakarKlier — Tue, 05 Sep 2017 18:56:38 GMT

Hello,

While that response depends on the capacity of the PAN you have and how much traffic is flowing through it, I would honeslty say yes, I am most confident that the logs should be there.

Regards,

Re: When setting Strict Security Profile

AdamCoombs — Wed, 06 Sep 2017 14:14:27 GMT

Thank you Otakar.klier

Is there a way to make those expections not show up in the monitor threat logs?

Re: When setting Strict Security Profile

OtakarKlier — Wed, 06 Sep 2017 14:23:03 GMT

Hello,

Maybe someone else has a better way. However what I thought up was to create two Vulnerability policies and two traffic policies. In the first policy you would have traffic that you don’t want logged, i.e. informational or low, etc. and you set the security policy not to log the traffic. The second policy would have the more strict Vulnerability policy and that Security policy would be set to log at session end.

Not sure you would want to do this since you might lose good information when it some to the traffic logs.

Regards,

Re: When setting Strict Security Profile

AdamCoombs — Wed, 06 Sep 2017 14:31:07 GMT

Well, sorry I will explain more on why I would not want to see the traffic that is high that I add execptions listed after change the security profile and setting that security profile to a group profile.

There is traffic that is showing in the monitor threat area as high, I know this traffic is required for business to run plus it the traffic is going cross zone.

I was thinking it would be better when I am monitor threat logs to see traffic that I need to do research in to make sure that is business approved traffic. Also it will clean up a lot of traffic that is not need to be seen in my thinking.

Re: When setting Strict Security Profile

OtakarKlier — Wed, 06 Sep 2017 14:52:45 GMT

Another thought could be to just let the PAN log everything and then filter the view to only things you want to see?

Re: When setting Strict Security Profile

jvalentine — Wed, 06 Sep 2017 15:51:28 GMT

For traffic logs, I usually recommend to "log at session end" for all of the security policies, and then filter out what you don't want to see. This can be accomplished in the ACC as well as the raw logs. One way is to do it by rule name:

This shows you traffic and threats, except for those you specifically filter out in the list. Once you find a view that you like, you can create your own custom ACC tab and have those filters pre-populated.

You can do similar things in the traffic, threat, and unified logs with a query like:

(rule neq 'allow to services') and (rule neq 'allow untrust to untrust')

One benefit to this approach is that you still have logs for all of the events, but you're only shown the ones you're interested in.

You're aware of the "log at session start" and "log at session end" options. That governs how traffic is logged for each individual security policy. If, for example, you have an internal application that generates way too many logs and you need to reduce the # of logs being written to disk (to increase log retention time for other traffic logs), then your next option is to not log any traffic through this particular security policy rule.

Afaik, this only affects "traffic logs" (aka traditional firewall logs). You'll still have URL logs, Threat logs, Data Filtering logs, etc. if applicable.

If your goal is to reduce logging for certain threat signatures, that can be done on a case-by-case basis by using security profile "exceptions". Let's say you had a network monitoring server that initatiates SSH sessions to network equipment all throughout your environment and it was generating too many "SSH2 Login Attempt" information alerts in your threat logs. You could add an exception to that profile by a.) enabling the exception, and b.) adding the IP address (source or destination). This action will disable that signature for traffic inspected by this specific profile and to/from the listed IP address.

Hopefully that gives you enough information to accomplish your goals. If not, let us know in more detail what you're trying to accomplish, what you see and what you'd like to see, and we'll figure it out.

Re: When setting Strict Security Profile

AdamCoombs — Thu, 07 Sep 2017 17:53:13 GMT

Hey jvalentine

I do not use the ACC much, maybe I should look into that more.
This seems to me to answer my questions about logging
.

With the help of Otakar.kKlier on knowing how the security profile will affect as well what i will still see in logging so be a enough to get this going

Re: When setting Strict Security Profile

BPry — Thu, 07 Sep 2017 19:16:50 GMT

@AdamCoombs,

I would highly recommend getting to know your way around the ACC. It's an astounding resource when you know how to use it properly and filter to what you actually want to see.

Re: When setting Strict Security Profile

AdamCoombs — Thu, 07 Sep 2017 19:25:21 GMT

Thank you BPry

Can you recommend documentation for 7.1 or videos please

Adam

Re: When setting Strict Security Profile

BPry — Fri, 08 Sep 2017 14:50:37 GMT

@AdamCoombs

The following link is a pretty good starting point in how to use the ACC and what exactly it is/isn't able to accomplish.

https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/acc

Re: When setting Strict Security Profile

AdamCoombs — Fri, 08 Sep 2017 15:01:20 GMT

Thank you BPry

I started to look at the ACC yesterday

I do like the option of jumping to logging with all the commands there