https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/181501#M56055 <P>Security policies are evaluated top to down.&nbsp;</P><P>First policy that matches traffic will be used to either allow or deny traffic.</P><P>If traffic is denied/dropped then no other policy is checked.</P><P>&nbsp;</P><P>Security profiles are checked only if security policy permitted traffic. So yes you need to add all profiles to all security policies with "Allow" action.</P><P>&nbsp;</P><P>AppID can change during single session (incomplete &gt; web-browsing &gt; sharepoint-base &gt; sharepoint-admin etc) so single session can match to different security policies but only one policy at the time.</P> Thu, 12 Oct 2017 14:19:48 GMT Raido_Rattameister 2017-10-12T14:19:48Z https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/180599#M55887 <P>Hi Guys,</P><P>Please need your supprt in understanding how&nbsp; vulnerability profiles work or in general how security profiles work.</P><P>I have done a lot of studying in this regard and all they say is that it works on the basis of signatures.Below is my understanding.</P><P>&nbsp;</P><P>Signatures:Its like any specific pattern or a behaviour in the traffic ,payload etc,please correct me if i am wrong.</P><P>&nbsp;</P><P>So if the PA sees any such it will apply the rules defined in the security profile,is this&nbsp; correct..?</P><P>&nbsp;</P><P>In addition how to understand the client/server critical etc.</P><P>&nbsp;</P><P>Thanks</P> Fri, 06 Oct 2017 19:27:51 GMT https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/180599#M55887 mahmoodm 2017-10-06T19:27:51Z https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/180823#M55915 <P>Hi Guys,</P> Mon, 09 Oct 2017 14:14:58 GMT https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/180823#M55915 mahmoodm 2017-10-09T14:14:58Z https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/180937#M55950 <P>hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/73281">@mahmoodm</a></P> <P>&nbsp;</P> <P>yes, signatures are used to identify threats. a signature is a specifc patern in a packet or series of packets</P> <P>&nbsp;</P> <P>first off a session needs to match a specific security policy before it can match a security profile</P> <P>&nbsp;</P> <P>so for example you have a client making an http connection out to a webserver and matches your browsing policy</P> <P>if this policy contains security profiles, these will be active throughout the session and scan for suspicious packets/payload/signatures</P> <P>&nbsp;</P> <P>if the client tries to send a malicious payload, like for example a header overflow, that is intended to crash the webbrowser, this will be the 'server' host (because the server is being attacked)</P> <P>if the server tries to send something malicous to the client to try and run scripts on the client (cross site scripting), this is the 'client' host</P> <P>&nbsp;</P> <P>vulnerability is determined based on the potential impact of a threat</P> <P>informational, low and medium are usually threats that have very limited impact or a patch has been made available for a long time already, high and critical are dangerous and could cause serious harm to your systems</P> Tue, 10 Oct 2017 07:10:32 GMT https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/180937#M55950 reaper 2017-10-10T07:10:32Z https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/181026#M55965 <P>Hi reaper,</P><P>&nbsp;</P><P>Thanks for the response and it clears most of the doubts.</P><P>Please can you explain whether the file blocking profiles work the same way i.e the session is scanned for all the traffic to look for signatures of the files which are to be blocked/allowed etc..?</P><P>&nbsp;</P><P>And one more confusion is that why do we need to have both the wildfire and file blocking profile applied to the same security rule while if we define the file blocking profile to block certain files then why would we want them to be send to wildfire for analysis.</P><P>&nbsp;</P><P>Thanks</P> Tue, 10 Oct 2017 06:31:34 GMT https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/181026#M55965 mahmoodm 2017-10-10T06:31:34Z https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/181040#M55968 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/73281">@mahmoodm</a></P> <P>&nbsp;</P> <P>Yes, the fileblocking profiles work mostly the same way by verifying payload (threat looks at the entire session while fileblocking is only interested in payload) for and looking if a specific type of file is being transferred. It looks at the type of file, and not just the extention (so hiding an .exe by changing extention to .txt does not work)</P> <P>&nbsp;</P> <P>wildfire will only send allowed files out for analysis, so if you block PE files, these will not be forwarded.</P> <P>- if a file is blocked it will cut off the tcp session early on and the 'rest' (payload) of the file will not be received, rendering the file unuseable for forwarding</P> Tue, 10 Oct 2017 07:20:15 GMT https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/181040#M55968 reaper 2017-10-10T07:20:15Z https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/181138#M55976 <P>Hi,</P><P>Thanks a lot for great clarification.</P><P>&nbsp;</P><P>So is it recommended to have the wildfire profile and file blocking profile on the same security rule or what is the best practice.</P><P>&nbsp;</P><P>Or we need to segregate the rules for separate profiles.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 10 Oct 2017 19:23:05 GMT https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/181138#M55976 mahmoodm 2017-10-10T19:23:05Z https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/181501#M56055 <P>Security policies are evaluated top to down.&nbsp;</P><P>First policy that matches traffic will be used to either allow or deny traffic.</P><P>If traffic is denied/dropped then no other policy is checked.</P><P>&nbsp;</P><P>Security profiles are checked only if security policy permitted traffic. So yes you need to add all profiles to all security policies with "Allow" action.</P><P>&nbsp;</P><P>AppID can change during single session (incomplete &gt; web-browsing &gt; sharepoint-base &gt; sharepoint-admin etc) so single session can match to different security policies but only one policy at the time.</P> Thu, 12 Oct 2017 14:19:48 GMT https://live.paloaltonetworks.com/t5/general-topics/how-vulnerability-profiles-work/m-p/181501#M56055 Raido_Rattameister 2017-10-12T14:19:48Z