Configuration Wizard Additional Best Practice Checks Support (Version 1.1.0)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter
No ratings



Configuration Wizard 

Additional Best Practice Checks Support



This document provides detail on additional BPA checks that were recently added into Configuration Wizard. 

 

Before we get into details we would like to provide a quick overview of Configuration Wizard. It’s a step-by-step configuration wizard that provides an intuitive, easy-to-use interface to configure firewalls to align with best practices. The Configuration Wizard takes the results of the BPA report and expedites the remediation process by outputting commands that can be easily pasted into any instance of PAN-OS and committed.  This helps to configure their firewalls using existing applications and capabilities to properly secure their network.  

 

Benefits of Configuration Wizard include:

 

  • Improved Security Posture - Ensure expert best practices are being adhered to.
  • Quick & Easy - Deploy and implement best practices easily with the configuration wizard. 
  • Maximize Return on Investment - Get the most out of NGFW features with best-practice configurations.


Best Practice Checks that can be remediate with Configuration Wizard

 

Category

BPA Checks

Objects

Antivirus Profile Decoder Wildfire Actions

URL Filtering Profile Allow Categories

Device

TCP out-of-order traffic

Failed Attempts

Lockout Time

Rematch Sessions



Antivirus Profile Decoder Wildfire Actions

 

The WildFire action setting in Antivirus profile blocks viruses the WildFire identifies in content signature updates in the Antivirus profile. This BPA check ensures the decoders are set to reset-both, drop, reset-client, or reset-server in the WildFire Action column.

 

If users have a WildFire subscription, their firewalls receive zero-day malware signatures from the WildFire cloud, minutes after the threat is discovered. The WildFire Action setting in Antivirus profile is based on WildFire content signature updates.

 

URL Filtering Profile Allow Categories

 

Custom URL categories and external dynamic lists of type URL are displayed under Category. By default, Site Access and User Credential Submission permissions for all categories are set to allow. The URL Filtering Profile Allow Categories best practice check ensures the URL categories under the Site Access section are not set to allow.

 

If traffic is set to allow from a URL category, the firewall doesn’t log that traffic. So there will be no visibility into traffic to websites in that UR category. For URL categories that are not blocked, set the Site Access action to alert to log traffic to all websites.

 

TCP out-of-order traffic

 

Do not forward TCP out-of-order queue segments. If this option is disabled, the firewall drops segments that exceed the out-of-order queue limit. This option is disabled by default and should remain this way for the most secure deployment.

 

Until the firewall receives all of the packets in order, it can’t send them from the TCP layer to the Application layer. So forwarding segments that exceed the TCP out-of-order queue limit can cause extra delay and degrade firewall performance.



Failed Attempts

 

A failed attempt to login may be made out of human error and can be corrected in a couple attempts. If we have this value more than few attempts then we may allow a malicious system to try to login with repeated attempts until success to gain access into the firewall and control the device.

 

Setting a low number of Failed Attempts allows users who make typing errors  to retry the login a reasonable number of times while preventing malicious systems from trying to access the firewall with repeated login attempts until they gain access.



Lockout Time

 

Lockout time helps in disconnecting an administrator for a certain time period before the next login attempt is made to make sure continuous attempts are not made to login into the system. This generally is observed with malicious intent and it controls this behavior. Use the command "request authentication unlock-admin user" to unlock the admin user.

 

The Lockout Time sets the amount of time to wait between login attempts after the Failed Attempts counter is exceeded to prevent continuous login attempts from a malicious actor.



Rematch Sessions

 

Rematch Sessions causes the firewall to apply newly configured Security policies to sessions that are already in progress. If this setting is disabled, any policy change applies only to sessions initiated after the policy change was committed.

 

By enabling Rematch Sessions firewall will apply newly created security rules to the existing active sessions. For instance, if we have found that there are policies allowing file transfers to an insecure network and there are currently sessions that are still active, if we create a new rule to block them and commit the configuration of the firewall, it would instantly rematch the new policy to existing sessions. It would also, if the action on the new rule is set to deny, immediately close the session.




 

Feedback? contact us at bpaplus@paloaltonetworks.com

Rate this article:
  • 1478 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎06-10-2022 01:49 PM
Updated by: