08-28-2014 10:12 AM
Hello,
What does it mean to attach the "default antivirus profile" to a deny policy? Does that mean that traffic matching that rule will be both denied and scanned for viruses? (I have the same question for the other profiles too).
Thank you,
Chris
08-28-2014 11:07 AM
Hello Chris,
If you want to block traffic from zone A to zone B and you have configured the security rule to block this traffic, lets say the first packet comes from zone A, we do a route lookup and find the destination zone to be zone B. You will then do a policy lookup and see that there is a policy match. But since the action is set to "deny", the packet is dropped immediately. Firewall will only inspect the traffic if the policy it matched has action set to "allow". Hope this helps.
Thanks
08-28-2014 10:16 AM
Hi Chris,
Lets say if "AV Profile" is in place with deny policy, than few/one packet will be matched to deny policy before last packet drop by policy and all those packets will be scanned for virus/vulnerability. Its safer.
However most likely 16 packets will be scanned for AV, because after that firewall will identify application and either allow or drop it.
Bottom line is its safer.
Regards,
Hardik Shah
08-28-2014 10:40 AM
Hello Chris,
The "default-profile" contains all recommended settings on it. Hence, it is advisable to attach that profile with a deny policy. So, even if the packet is getting dropped ( not matching with any existing policy), you will have more granular visibility of what type of traffic heading towards your firewall i.e malicious, threat etc.
Hope this helps.
Thanks
08-28-2014 11:07 AM
Hello Chris,
If you want to block traffic from zone A to zone B and you have configured the security rule to block this traffic, lets say the first packet comes from zone A, we do a route lookup and find the destination zone to be zone B. You will then do a policy lookup and see that there is a policy match. But since the action is set to "deny", the packet is dropped immediately. Firewall will only inspect the traffic if the policy it matched has action set to "allow". Hope this helps.
Thanks
08-28-2014 11:10 AM
Hi Tsiv,
Some times Deny is configured with application, Lets say facebook is blocked between Zone A to Zone B.
Now policy will alow atleast 16 packets to identify as a facebook and than drop it.
Now there are two scenarios.
1. No AV Profile : Then this 16 packets are not scanned.
2. With AV Profile : These 16 packets are scanned to check any threat.
Bottom line is its not always a plain drop.
Regards,
Hardik Shah
08-28-2014 11:25 AM
Hello hshah,
Your understanding is not correct. Flow basic clearly shows that If the action associated with the policy is "deny", we won't even install the session for inspection to happen. We just record a discard log saying that the traffic is dropped.
Hope this helps.
Thanks
08-28-2014 11:27 AM
Hi Tshiv,
I think you are right, in that case there is no significance of profiles in deny rule.
Regards,
Hardik Shah
08-29-2014 02:19 PM
Correcting My initial update:
Tshiv 
is absolutely correct, once the packet with match with a "deny" policy on SLOW-PATH packet processing, PAN firewall will discard that packet immediately ( before sending that packet for L-7 inspection). Hence, adding a AV-profile will not make any sense.
Default deny policy is for logging all dropped packets on the firewall for more visibility, what traffic heading towards your firewall ( source IP, protocol, source-country etc)
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
