Mitigate Vulnerabilities Through Proper Application of Threat Prevention

Issue

Proper configuration of a PAN-OS device is required to successfully detect and prevent exploitation of vulnerabilities.

While the recommended action by Palo Alto Networks is to patch all vulnerable devices, including PAN-OS devices, to the proper version levels specified in the security advisories, emergency content releases contain signatures to help protect PAN-OS.

Solution

The solution will be broken into small steps:

1. Content installation
2. Configuration of a vulnerability protection profile to take proper action against signature pattern match (Reset-both)
3. Assign the configured vulnerability protection profile to a security rule 
4. Configuration of Inbound SSL Decryption 

Details

1. Content Installation
   Ensure that content is updated to the latest version.
   
   
   
2. Configure a Vulnerability Protection Profile
   This section will briefly describe how to configure a vulnerability protection profile to take preventative action against detection of the threat IDs associated with any security advisory.
   There are two options for this portion of the configuration:
   1. In this example, the vulnerability protection profile "strict" is configured to take a RESET-BOTH action against detection of high severity signatures; 38902, 38903, and 38904 are high severity signatures. As such, this profile can be used on the security rule that matches inbound traffic destined for the firewall.
   2. A custom vulnerability protection profile with actions for these three signatures set to RESET-BOTH. Please reference this link for assistance with this process.
       
3. Assign the Vulnerability Protection Profile to a Security Rule
   This section will describe how to assign the previously configured vulnerability protection profile to a security rule which matches the traffic destined for global protect, and any dataplane interface being used for management.
   
   For this exercise, let us assume that Global Protect is hosted on an interface that is homed on the "Untrust" zone and the VPN traffic will also source from the "Untrust" zone.
   
   To protect against exploitation to Global Protect, or other services published on the dataplane, the vulnerability protection profile must be assigned to a security rule that inspects "Untrust" zone to "Untrust" zone traffic. 
   
   
   In the above screenshot, the icon under the PROFILE column is the vulnerability protection profile "strict" referenced in our previous step. Source zone is "Untrust" and destination zone is "Untrust."
   
   The following step should be taken in the event a dataplane interface is used for device management.
4. Configure Inbound SSL Decryption
   Reference the following documents to assist in configuring inbound SSL decryption: 
   • Configure SSL Inbound Inspection 
   • How to Implement and Test SSL Decryption