BPA Adventure: Anti-Spyware and DNS Sinkhole

Read about my BPA Adventure: Anti-Spyware and DNS Sinkhole. Like any good security engineer, I have my own PA-220 at home and I was (smugly) wondering how well I would score on a Palo Alto Networks Best Practice Assessment (BPA). The results were...interesting. Take a look at my results in this new blog on Live Community.

The Best Practice Assessment (BPA)

If you haven't run a BPA before, check out How to use the new BPA functionality and video.

I accessed the CSP (Customer Support Portal) and uploaded my TechSupport File to the Best Practice Assessment Tool, designated my zones and ran the report. I felt pretty good about myself when the left half of the screen lit up bright apple green where the center (the average) is more lime and orange. I didn't really notice the horror on the right-hand side as nearly everything was white, except for one green bar which drew my attention and bruised my ego a little.

My adoption rates were great, but my BPA scores were horrible. All that smugness went out the window. I went ahead and downloaded the full report to see where I goofed up.

The downloaded .zip file contains a "Failed Best Practice Checks" .xlsx, and a "Best Practice Assessment" .html file.

The .xlsx file provides you with a short and sweet summary of all the detected failed checks and links to remediation plus an estimate of how much effort in time you'd need to rectify these (pretty cool, right?).

The HTML file has the same adoption heatmap and some other graphical report elements plus report sections for all the failed checks. Since I have been working on the new DNS Security service, I was a bit horrified to notice I had a failed check for DNS Sinkhole on my home device.

To get to the Anti-Spyware checks from the main page, do the following:

1. Go to BPA
2. Select the Objects Tab
3. Pick Anti-Spyware from the Security Profiles

Making my Anti-Spyware profile better

So what can be done to make my profile better?

• I need to set the Sinkhole action on DNS Security Service to sinkhole.
• It is recommended to enable single-packet packet capture on DNS sinkhole (this catches the DNS request).
• I need to set an action for the "Informational" severity.
• The rules for medium, high, and critical should have an action different from default to ensure a strong security stance.

Profile that needs a little improvement

So I made the following changes:

• I set the critical severity action to block-ip (source) for 120 seconds.
• I set the high severity action to drop.
• I set the medium severity action to reset-client (as usually spyware will be triggered from a client on the inside).
• I added informational to the existing low rule with action default, and enabled single-packet Packet Capture.
• I enabled sinkhole for the DNS security service and set single-packet Packet Captures for both.

Anti-Spyware profile according to Best Practices

After committing the changes, collecting a fresh TechSupport File, and re-running the BPA, I now have two bars extra on the Best Practice Mode!

Best Practice Anti-Spyware and DNS Sinkhole 100%!

Next time, we'll take a look at the other BPA results.

Stay frosty!

Reaper out