byediteur05-05-201802:05 PM - edited 05-06-201805:49 AM
What's in it for me...and you?
Still got that burning question?
#GetAnswers at Ignite
Live and in person
Visit the Live Community in Booth 304 May 21-24 at the Anaheim Convention Center
#GetAnswers -- like this!
Question: Should we be using the default actions for spyware or should we define the actions in exceptions?
Answer: I usually tell clients to create custom spyware profiles and specify an action of block for severities critical + high and an action of 'default' for all other severities.
Palo Alto Networks next-generation firewalls have 2 built-in profiles. One called 'Default' which, personally, I do not recommend. I believe this setting is not adequate for today's security standards ... that said, it is still better than having no profile configured at all.
The default profile uses the default action for every signature, as specified by Palo Alto Networks when the signature is created. Personally, I'd recommend using the strict profile to ensure blocking of vulnerabilities exploited by malicious documents. the strict profile overrides the action defined in the signature file for critical, high, and medium severity threats, and sets it to the 'reset-both' action. The default action is taken with low and informational severity threats.
It is also possible to create a custom profile and tweak it as desired. Don't forget to use the profile in a security policy!