https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10317#M7589 <HTML><HEAD></HEAD><BODY><P></P><P>&gt;Does the Vulnerability Protection Profile provide any benefit to inbound traffic from the Internet to servers on the DMZ? Is it more for web</P><P></P><P>Yes, we do. I think you are referring to "server-side" attacks. You can look for our protection against server attacks by either searching through signatures in "threat name" field on 'custom' vulnerability profile e.g. you can enter 'apache' and it will show you what apache related signatures we have, or to see a list of all server-side signatures, you can filter on host = server. </P><P></P><P>&gt;protection from users going outbound to browse the web and not so much from outside sources accessing servers.&nbsp; For example will the</P><P></P><P>These are client-side attacks... coverage for these can be found by filtering on host&nbsp; = client.</P><P></P><P>&gt;Vuln Pro signature block a SQL injection attack against a DMZ server or an Apache vuln exploit attempt?&nbsp; Or would it even provide any &gt;protection to the DMZ server for plain HTTP connection attacks?&nbsp; Thanks!</P><P></P><P>For HTTP connection attacks, zone protection profile can be used that limit the number of TCP connections. </P><P></P><P>Let me know if you have further questions,</P><P></P><P>Thanks,<BR />Sandeep </P></BODY></HTML> Thu, 21 Oct 2010 23:30:58 GMT migration 2010-10-21T23:30:58Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10313#M7585 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>Does the Vulnerability Protection Profile provide any benefit to inbound traffic from the Internet to servers on the DMZ? Is it more for web protection from users going outbound to browse the web and not so much from outside sources accessing servers.&nbsp; For example will the Vuln Pro signature block a SQL injection attack against a DMZ server or an Apache vuln exploit attempt?&nbsp; Or would it even provide any protection to the DMZ server for plain HTTP connection attacks?&nbsp; Thanks!</P><P></P><P>Mike</P></BODY></HTML> Tue, 19 Oct 2010 14:58:32 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10313#M7585 MGoodnow 2010-10-19T14:58:32Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10314#M7586 <HTML><HEAD></HEAD><BODY><P>Zone protection is mostly for setting traffic limits and thresholds.</P><P></P><P>Syn flood:</P><P>Alert threshold&nbsp; =&nbsp; X Packets Per Second</P><P>Activate threshold = PPS</P><P>Action =&nbsp; Random drop or SYN Cookie</P><P></P><P>ICMP flood</P><P>Alert Threshod = PPS</P><P>Activate threshold = PPS</P><P></P><P>UDP and Other IP flood, same as ICMP flood.</P><P></P><P>It also allows Port scan and IP scan thresholds to stop dropping packets after X scans in Y seconds.</P><P></P><P>Zone protection does not detect coss site scripting or SQL injection or any HTTP based attacks.</P><P></P><P>Steve Krall</P></BODY></HTML> Thu, 21 Oct 2010 00:26:19 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10314#M7586 pantac 2010-10-21T00:26:19Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10315#M7587 <HTML><HEAD></HEAD><BODY><P>I'm actually refering to applying a Vulnerability Protection Profile to say inbound http/https traffic to a server on the DMZ.&nbsp; Not Zone Protection.&nbsp; Similiar to how we setup a Profile for outbound web browsing.&nbsp; Would that inbound Profile offer any protection inbound to our DMZ server from becoming comprimised? Thanks!</P><P></P><P>Mike</P></BODY></HTML> Thu, 21 Oct 2010 13:03:44 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10315#M7587 MGoodnow 2010-10-21T13:03:44Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10316#M7588 <HTML><HEAD></HEAD><BODY><P>I apologize for the misunderstanding.</P><P>Yes, Adding a vulnerability protection profile to a Security Policy rule that protects a DMZ is a good idea. If you would like to see some of the actual vulnerabilities do the following.</P><P></P><P>Click the OBJECTS tab</P><P>Click VULNERABILITY PROTECTION on the left edge tree.</P><P>Click NEW to create a new profile.</P><P>Change the "Rule Type" from "Simple"&nbsp; to "custom".</P><P></P><P>All of the threats have the following fields associated.</P><P>- ID (Paloalto threat ID)</P><P>- Name</P><P>- CVE&nbsp; (CVE-year-4digits)</P><P>- Host (client or server)</P><P>- Catagory (Overflow, Code-execution, dos, others)</P><P>- Severity&nbsp; (low, med, high, critical)</P><P>- Action (Alert, reset-client, reset-both)</P><P></P><P>Steve Krall</P></BODY></HTML> Thu, 21 Oct 2010 18:36:33 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10316#M7588 skrall 2010-10-21T18:36:33Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10317#M7589 <HTML><HEAD></HEAD><BODY><P></P><P>&gt;Does the Vulnerability Protection Profile provide any benefit to inbound traffic from the Internet to servers on the DMZ? Is it more for web</P><P></P><P>Yes, we do. I think you are referring to "server-side" attacks. You can look for our protection against server attacks by either searching through signatures in "threat name" field on 'custom' vulnerability profile e.g. you can enter 'apache' and it will show you what apache related signatures we have, or to see a list of all server-side signatures, you can filter on host = server. </P><P></P><P>&gt;protection from users going outbound to browse the web and not so much from outside sources accessing servers.&nbsp; For example will the</P><P></P><P>These are client-side attacks... coverage for these can be found by filtering on host&nbsp; = client.</P><P></P><P>&gt;Vuln Pro signature block a SQL injection attack against a DMZ server or an Apache vuln exploit attempt?&nbsp; Or would it even provide any &gt;protection to the DMZ server for plain HTTP connection attacks?&nbsp; Thanks!</P><P></P><P>For HTTP connection attacks, zone protection profile can be used that limit the number of TCP connections. </P><P></P><P>Let me know if you have further questions,</P><P></P><P>Thanks,<BR />Sandeep </P></BODY></HTML> Thu, 21 Oct 2010 23:30:58 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10317#M7589 migration 2010-10-21T23:30:58Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10318#M7590 <HTML><HEAD></HEAD><BODY><P>Thank you very much for the information.&nbsp; Very helpful and I will put the protection in place.&nbsp; I should of added this to the initial inquiry.&nbsp; How about AV protection? I would assume adding an AV profile to a DMZ server inbound - would provide no additional benefit (based on how AV scanning acts)?</P><P><BR />Cheers,</P><P></P><P>Mike</P></BODY></HTML> Fri, 22 Oct 2010 15:27:09 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10318#M7590 MGoodnow 2010-10-22T15:27:09Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10319#M7591 <HTML><HEAD></HEAD><BODY><P></P><P>&gt;Thank you very much for the information.&nbsp; Very helpful and I will put the protection in place.&nbsp; I should of added this to the initial inquiry. &gt;How about AV protection? I would assume adding an AV profile to a DMZ server inbound - would provide no additional benefit (based</P><P></P><P>It may... if your DMZ servers are allowing file upload or download (e.g., through HTTP, FTP etc.) then having A/V protection would be useful.</P><P></P><P>Thanks,<BR />Sandeep</P><P></P><P>&gt;on how AV scanning acts)?</P><P><BR />&gt;Cheers,</P><P></P><P>&gt;Mike</P></BODY></HTML> Fri, 22 Oct 2010 16:42:32 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-inbound-traffic-to-dmz-servers/m-p/10319#M7591 migration 2010-10-22T16:42:32Z