Does PA have any documentation for their IPS/IDS system?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Does PA have any documentation for their IPS/IDS system?

Not applicable

Just went throught the PA administrator 4.1 guide and there isent much regarding how to use the IPS/IDS system. I have a spare PA-200 at the shop and wanted to learn more on how to use the IPS/IDS system and Wildfire. Can someone direct me to the right direction?

RW

7 REPLIES 7

L6 Presenter

There is a good video on threat management that you can review:  https://live.paloaltonetworks.com/videos/1068.

Thanks.

L4 Transporter

Admin Guide has some coverage, but here's a 12 minute video with some coverage on how to configure IPS, aka Vulnerability Protection profiles.

https://live.paloaltonetworks.com/videos/1133

Not applicable

Is there any document on recommendations on enabling IPS on internal to internal zones? I've seen a lot of false positives using both default and strict. (as it's normal Windows type traffic...)

I was told one exists but can't find it.

Using IPS is a classic chickenrace.

You will never get 0% false-positives so it depends if you wish to protect your golden eggs (with a 95% or so probability to find bad traffic) but at the same time risk that some good traffic will be blocked aswell or do you want to allow all good traffic and by that allow 100% bad traffic aswell?

A good default setting to find most bad stuff and at the same time lower probability of false positives is to use this setup as a start:

critical: block

high: block

medium: block

low: default

information: default

and then activealy monitor your logs to whitelist any verified false positives.

An example (in informational which has default alert) is urls in pdf files. Today not uncommon, but at the same time a high probability that a bad pdf will contain urls. So blocking this would probably give you a high rate of false positives but at the same time, if you know that NO pdf's within your organisation should contain urls then you could put this particular threatid into block instead of alert.

As a starter you could of course put all levels to alert mode and then followup each day to identify at least how many critical, high and medium threats you have today before you put them into block default.

Wish it was that simple, what I was looking for is a more granular paper on how to best implement IPS in an internal environment. What I would see if I did above recommendation would be a lot of traffic blocked, why I'm not sure but I see a lot of "brute" force attempts which isn't actually brute force attempts (Windows and Sharepoint, SMB Fragment Packet Found +Microsoft ASP .NET Information Leak Brute-force attempt).

If there isn't a white paper on it, I'm guessing I've got to create a blank paper and work from there. Was hoping that it wasn't going to be that work intense to get a basic cover.

Cheers

A.

Wish it was that simple, what I was looking for is a more granular paper on how to best implement IPS in an internal environment. What I would see if I did above recommendation would be a lot of traffic blocked, why I'm not sure but I see a lot of "brute" force attempts which isn't actually brute force attempts (Windows and Sharepoint, SMB Fragment Packet Found +Microsoft ASP .NET Information Leak Brute-force attempt).

If there isn't a white paper on it, I'm guessing I've got to create a blank paper and work from there. Was hoping that it wasn't going to be that work intense to get a basic cover.

Cheers

A.

If you use these settings nothing will be blocked but you would need to look through your logs to find the bad traffic:

critical: alert

high: alert

medium: alert

low: alert

information: alert

  • 4837 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!