BPA Adventure: Anti-Spyware and DNS Sinkhole

Community Manager

Read about my BPA Adventure: Anti-Spyware and DNS Sinkhole. Like any good security engineer, I have my own PA-220 at home and I was (smugly) wondering how well I would score on a Palo Alto Networks Best Practice Assessment (BPA). The results were...interesting. Take a look at my results in this new blog on Live Community.

 

 

The Best Practice Assessment (BPA)

 

If you haven't run a BPA before, check out How to use the new BPA functionality and video.

 

I accessed the CSP (Customer Support Portal) and uploaded my TechSupport File to the Best Practice Assessment Tool, designated my zones and ran the report. I felt pretty good about myself when the left half of the screen lit up bright apple green where the center (the average) is more lime and orange. I didn't really notice the horror on the right-hand side as nearly everything was white, except for one green bar which drew my attention and bruised my ego a little.

 

Preview of BPA summary

 

 

My adoption rates were great, but my BPA scores were horrible. All that smugness went out the window. I went ahead and downloaded the full report to see where I goofed up.

 

The downloaded .zip file contains a "Failed Best Practice Checks" .xlsx, and a "Best Practice Assessment" .html file.

 

The .xlsx file provides you with a short and sweet summary of all the detected failed checks and links to remediation plus an estimate of how much effort in time you'd need to rectify these (pretty cool, right?).

 

Screenshot of Failed Best Practices Checks

 

The HTML file has the same adoption heatmap and some other graphical report elements plus report sections for all the failed checks. Since I have been working on the new DNS Security service, I was a bit horrified to notice I had a failed check for DNS Sinkhole on my home device.

 

To get to the Anti-Spyware checks from the main page, do the following:

  1. Go to BPA
  2. Select the Objects Tab
  3. Pick Anti-Spyware from the Security Profiles

 

Snapshot of Best Practice AntiSpyware results

 

Making my Anti-Spyware profile better

 

So what can be done to make my profile better?

  • I need to set the Sinkhole action on DNS Security Service to sinkhole.
  • It is recommended to enable single-packet packet capture on DNS sinkhole (this catches the DNS request).
  • I need to set an action for the "Informational" severity.
  • The rules for medium, high, and critical should have an action different from default to ensure a strong security stance.

 

Snapshot of Anti-Spyware profile - BADProfile that needs a little improvement

So I made the following changes:

  • I set the critical severity action to block-ip (source) for 120 seconds.
  • I set the high severity action to drop.
  • I set the medium severity action to reset-client (as usually spyware will be triggered from a client on the inside).
  • I added informational to the existing low rule with action default, and enabled single-packet Packet Capture.
  • I enabled sinkhole for the DNS security service and set single-packet Packet Captures for both.

 

Snapshot of Anti-Spyware profile - GOODAnti-Spyware profile according to Best Practices

After committing the changes, collecting a fresh TechSupport File, and re-running the BPS, I now have two bars extra on the Best Practice Mode!

 

View of BPA improvementsBest Practice Anti-Spyware and DNS Sinkhole 100%!

 

Next time, we'll take a look at the other BPA results.

 

Stay frosty!

Reaper out

 

 

 

Ask Questions Get Answers Join the Live Community
Labels