https://live.paloaltonetworks.com/t5/general-topics/best-practices-query-for-security-settings/m-p/360011#M88042 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp; Thanks . this will certainly help</P><P>&nbsp;</P><P>Regarding points such as Threat prevention and Wildfire :&nbsp;</P><P>&nbsp;</P><P>For eg : There is a rule from a User zone to Printer zone : Does it make sense to enable Threat and Wildfire .</P><P>&nbsp;</P><P>I mean doesnot it cause more process utilization ? I am just asking from functionality point of view .</P><P>&nbsp;</P><P>The other points for URL , APP ID and SSL Decryption is understandable .</P> Fri, 30 Oct 2020 20:51:02 GMT FWPalolearner 2020-10-30T20:51:02Z https://live.paloaltonetworks.com/t5/general-topics/best-practices-query-for-security-settings/m-p/359883#M88024 <P>Hi ,</P><P>&nbsp;</P><P>I have a customer who has Threat prevention , AV, Wildfire ,licesne</P><P>&nbsp;</P><P>The Network is divided into various Security Zones - like Users , Printers, Voip , Front end servers , Backend Servers , there are around 15 zones</P><P>&nbsp;</P><P>Now we have the BPA report and a lot in terms of APP ID and Service needs to be fixed</P><P>&nbsp;</P><P>Customer wants a kind of matrix as a Industry Best Practice about from which zone to which zone below needs to be enabled</P><P>URL Filtering</P><P>Threat Prevention- AV, Antispyware</P><P>Malware Anlysis</P><P>SSL Decryption</P><P>&nbsp;</P><P>&nbsp;</P><P>Do we have any Best Pratice Matrix so that once we fix the rulebase to specific zones with APP ID , we have to be sure where to enable these security features</P> Fri, 30 Oct 2020 11:41:20 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practices-query-for-security-settings/m-p/359883#M88024 FWPalolearner 2020-10-30T11:41:20Z https://live.paloaltonetworks.com/t5/general-topics/best-practices-query-for-security-settings/m-p/359926#M88037 <P>Hello,</P> <P>I like to have the following:</P> <P>URL filtering: only for outbound web traffic (not inbound or internal)</P> <P>Threat Prevention- AV, Antispyware:&nbsp; On all policies, if something breaks, add an exception for just hat one policy, i.e. a ssh brute for due to a monitoring solution, just create a special policy that ignores that and only for that traffic policy)</P> <P>Malware Anlysis: On all policies, same reasoning as above.</P> <P>SSL Decryption: Where practical, external traffic is a must, inbound and internal traffic at your discretion.&nbsp;</P> <P>&nbsp;</P> <P>In addition to this use policies that have Applications instead of Services(ports), where applicable. This will help as well. i.e. only DNS application traffic from your internal DNS servers and only to a public DNS server that is secure (such as OpenDNS, cloudflare, etc.). This will prevent internal clients bypassing your internal DNS and/or exfiltrating data out using the DNS protocol.</P> <P>&nbsp;</P> <P>Hope that helps.</P> Fri, 30 Oct 2020 16:52:50 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practices-query-for-security-settings/m-p/359926#M88037 OtakarKlier 2020-10-30T16:52:50Z https://live.paloaltonetworks.com/t5/general-topics/best-practices-query-for-security-settings/m-p/360011#M88042 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp; Thanks . this will certainly help</P><P>&nbsp;</P><P>Regarding points such as Threat prevention and Wildfire :&nbsp;</P><P>&nbsp;</P><P>For eg : There is a rule from a User zone to Printer zone : Does it make sense to enable Threat and Wildfire .</P><P>&nbsp;</P><P>I mean doesnot it cause more process utilization ? I am just asking from functionality point of view .</P><P>&nbsp;</P><P>The other points for URL , APP ID and SSL Decryption is understandable .</P> Fri, 30 Oct 2020 20:51:02 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practices-query-for-security-settings/m-p/360011#M88042 FWPalolearner 2020-10-30T20:51:02Z https://live.paloaltonetworks.com/t5/general-topics/best-practices-query-for-security-settings/m-p/360014#M88043 <P>Hello,</P> <P>While yes it does increase load on the system, I try my best to follow the Zero Trust approach. So yes I will enable those features for the internal traffic as well. This can indicate a malicious actor on the network attempting to get a foothold somehow. It will also potentially stop lateral movement.</P> <P>&nbsp;</P> <P>Hope that helps.</P> Fri, 30 Oct 2020 21:51:11 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practices-query-for-security-settings/m-p/360014#M88043 OtakarKlier 2020-10-30T21:51:11Z https://live.paloaltonetworks.com/t5/general-topics/best-practices-query-for-security-settings/m-p/363754#M88410 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a></P><P>&nbsp;</P><P>The thing is i have to define the KPI for each of the Security feature ; I have got the BPA report and now</P><P>&nbsp;</P><P>what should be the required KPI once we implement all the security features</P> Wed, 18 Nov 2020 10:53:30 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practices-query-for-security-settings/m-p/363754#M88410 FWPalolearner 2020-11-18T10:53:30Z