Configuration Wizard Frequently Asked Questions
cancel
Showing results for 
Search instead for 
Did you mean: 
Configuration Wizard  Additional Best Practice Checks Support This document provides detail on additional BPA checks that were recently added into Configuration Wizard.    Before we get into details we would like to provide a quick overview of Configuration Wizard. It’s a step-by-step configuration wizard that provides an intuitive, easy-to-use interface to configure firewalls to align with best practices. The Configuration Wizard takes the results of the BPA report and expedites the remediation process by outputting commands that can be easily pasted into any instance of PAN-OS and committed.  This helps to configure their firewalls using existing applications and capabilities to properly secure their network.     Benefits of Configuration Wizard include:   Improved Security Posture - Ensure expert best practices are being adhered to. Quick & Easy - Deploy and implement best practices easily with the configuration wizard.  Maximize Return on Investment - Get the most out of NGFW features with best-practice configurations. Best Practice Checks that can be remediate with Configuration Wizard   Category BPA Checks Objects Antivirus Profile Decoder Wildfire Actions URL Filtering Profile Allow Categories Device TCP out-of-order traffic Failed Attempts Lockout Time Rematch Sessions Antivirus Profile Decoder Wildfire Actions   The WildFire action setting in Antivirus profile blocks viruses the WildFire identifies in content signature updates in the Antivirus profile. This BPA check ensures the decoders are set to reset-both, drop, reset-client, or reset-server in the WildFire Action column.   If users have a WildFire subscription, their firewalls receive zero-day malware signatures from the WildFire cloud, minutes after the threat is discovered. The WildFire Action setting in Antivirus profile is based on WildFire content signature updates.   URL Filtering Profile Allow Categories   Custom URL categories and external dynamic lists of type URL are displayed under Category. By default, Site Access and User Credential Submission permissions for all categories are set to allow. The URL Filtering Profile Allow Categories best practice check ensures the URL categories under the Site Access section are not set to allow.   If traffic is set to allow from a URL category, the firewall doesn’t log that traffic. So there will be no visibility into traffic to websites in that UR category. For URL categories that are not blocked, set the Site Access action to alert to log traffic to all websites.   TCP out-of-order traffic   Do not forward TCP out-of-order queue segments. If this option is disabled, the firewall drops segments that exceed the out-of-order queue limit. This option is disabled by default and should remain this way for the most secure deployment.   Until the firewall receives all of the packets in order, it can’t send them from the TCP layer to the Application layer. So forwarding segments that exceed the TCP out-of-order queue limit can cause extra delay and degrade firewall performance. Failed Attempts   A failed attempt to login may be made out of human error and can be corrected in a couple attempts. If we have this value more than few attempts then we may allow a malicious system to try to login with repeated attempts until success to gain access into the firewall and control the device.   Setting a low number of Failed Attempts allows users who make typing errors  to retry the login a reasonable number of times while preventing malicious systems from trying to access the firewall with repeated login attempts until they gain access. Lockout Time   Lockout time helps in disconnecting an administrator for a certain time period before the next login attempt is made to make sure continuous attempts are not made to login into the system. This generally is observed with malicious intent and it controls this behavior. Use the command "request authentication unlock-admin user" to unlock the admin user.   The Lockout Time sets the amount of time to wait between login attempts after the Failed Attempts counter is exceeded to prevent continuous login attempts from a malicious actor. Rematch Sessions   Rematch Sessions causes the firewall to apply newly configured Security policies to sessions that are already in progress. If this setting is disabled, any policy change applies only to sessions initiated after the policy change was committed.   By enabling Rematch Sessions firewall will apply newly created security rules to the existing active sessions. For instance, if we have found that there are policies allowing file transfers to an insecure network and there are currently sessions that are still active, if we create a new rule to block them and commit the configuration of the firewall, it would instantly rematch the new policy to existing sessions. It would also, if the action on the new rule is set to deny, immediately close the session.   Feedback? contact us at bpaplus@paloaltonetworks.com
View full article
  Configuration Wizard Additional Best Practice Check Support  (Version 1.3.0) This document provides detail on an additional BPA check that was recently added into Configuration Wizard.   Before we get into details we would like to provide a quick overview of Configuration Wizard. It’s a step-by-step configuration wizard that provides an intuitive, easy-to-use interface to configure firewalls to align with best practices. The Configuration Wizard takes the results of the BPA report and expedites the remediation process by outputting commands that can be easily pasted into any instance of PAN-OS and committed.  This helps to configure their firewalls using existing applications and capabilities to properly secure their network.     Benefits of BPA+ include:   Improved Security Posture - Ensure expert best practices are being adhered to. Quick & Easy - Deploy and implement best practices easily with the configuration wizard.  Maximize Return on Investment - Get the most out of NGFW features with best-practice configurations. Best Practice Check available in Version 1.3.0   Category BPA Checks Device Script File Size Limit Script File Size Limit   The file size for script files should be set so all script files that pass through the firewall are sent to WildFire for inspection. The best practice assessment check ensures the file size limit for script files is set to 20KB.   As each firewall model has a different disk buffer size for forwarding to sandbox, increasing the maximum script file size limit may affect forwarding capacity in terms of the number of files the firewall can forward. So it’s possible that not all files would be forwarded to WildFire if multiple big zero-day files are processed at same time. You can tune the maximum size setting and observe whether there’s enough buffer space to handle a higher limit. Feedback? contact us at bpaplus@paloaltonetworks.com  
View full article
Configuration Wizard Additional Best Practice Checks Support   This document provides detail on additional BPA checks that were recently added into Configuration Wizard.   Before we get into details we would like to provide a quick overview of Configuration Wizard. It’s a step-by-step configuration wizard that provides an intuitive, easy-to-use interface to configure firewalls to align with best practices. The Configuration Wizard takes the results of the BPA report and expedites the remediation process by outputting commands that can be easily pasted into any instance of PAN-OS and committed.  This helps to configure their firewalls using existing applications and capabilities to properly secure their network.     Benefits of BPA+ include:   Improved Security Posture - Ensure expert best practices are being adhered to. Quick & Easy - Deploy and implement best practices easily with the configuration wizard.  Maximize Return on Investment - Get the most out of NGFW features with best-practice configurations. Best Practice Checks that can be remediate with Configuration Wizard   Category BPA Checks Objects WildFire Profile File Types Antivirus Profile Decoder WildFire Inline ML Action Device Report Grayware Files Enabled WildFire Profile File Types Configure the firewall to forward files to WildFire for analysis. Through the WildFire Analysis Profile, all files being uploaded or downloaded will be sent to WildFire for analysis. The WildFire Profile File Types best practice check ensures all file types for all applications are sent to WildFire for analysis.   The WildFire Cloud and on-premises private cloud analyzes new files that the firewall hasn’t seen before. It sends all new files for all applications to WildFire for analysis and inspection. WildFire detects unknown threats in all file types and protects you against zero-day threats (new malware) and advanced persistent threats.    Antivirus Profile Decoder Wildfire Inline ML Action The WildFire Action setting in Antivirus profiles blocks viruses that WildFire identifies in content signature updates in the Antivirus profile. The WildFire Decoder Actions best practice check ensures the decoders are set to reset-both, drop, reset-client, or reset-server in the WildFire Action column.   If users have a WildFire subscription, their firewalls receive zero-day malware signatures from the WildFire cloud, as fast as under a minute after the threat is discovered. The WildFire Action setting in Antivirus profiles is based on WildFire content signature updates.   Report Grayware Files Enabled Wildfire submission logs would have a log event when a file sent to the Wildfire cloud for inspection was identified and given a verdict as Grayware file. If not enabled this log is not created and is created only for malware files.   When the Report Grayware Files option is enabled, details such as session information, Behavioral summary, Network Activity, Host Activity and more that are helpful in analytics. As a best practice, we recommend having a check mark on the Report Grayware File box under WildFire general Settings in Device Setup. Feedback? contact us at bpaplus@paloaltonetworks.com
View full article
Configuration Wizard  Additional Best Practice Checks Support (Version 1.4.0) This document provides detail on additional BPA checks that were recently added into Configuration Wizard.    Before we get into details we would like to provide a quick overview of Configuration Wizard. It’s a step-by-step configuration wizard that provides an intuitive, easy-to-use interface to configure firewalls to align with best practices. The Configuration Wizard takes the results of the BPA report and expedites the remediation process by outputting commands that can be easily pasted into any instance of PAN-OS and committed.  This helps to configure their firewalls using existing applications and capabilities to properly secure their network.     Benefits of Configuration Wizard include:   Improved Security Posture - Ensure expert best practices are being adhered to. Quick & Easy - Deploy and implement best practices easily with the configuration wizard.  Maximize Return on Investment - Get the most out of NGFW features with best-practice configurations. Best Practice Checks that can be remediate with Configuration Wizard   Category BPA Checks Device PE File Size Limit PDF File Size Limit MacOSX File Size Limit APK File Size Limit Archive File Size Limit Flash File Size Limit Jar File Size Limit Linux File Size Limit MS Office File Size Limit PE File Size Limit   The file size for PE files should be set so all PE files that pass through the firewall are sent to WildFire for inspection. Each firewall model has a different disk buffer size for forwarding to sandbox, increasing the maximum PE file size limit may affect forwarding capacity in terms of the number of files the firewall can forward.    It is possible that not all files would be forwarded to WildFire if multiple bug zero-day files are processed at the same time. You can tune the maximum size setting and observe whether there’s enough buffer space to handle a higher limit. The Best practice assessment check ensures the file size limit for PE files is set to 16MB. PDF File Size Limit   The maximum file size for PDF files should be set so all PDF files that pass through the firewall are sent to WildFire for inspection. Each firewall model has a different disk buffer size for forwarding to sandbox, increasing the maximum PE file size limit may affect forwarding capacity in terms of the number of files the firewall can forward.    It is possible that not all files would be forwarded to WildFire if multiple bug zero-day files are processed at the same time. You can tune the maximum size setting and observe whether there’s enough buffer space to handle a higher limit. The Best practice assessment check ensures the PDF file size is set at 3,072KB. MacOSX File Size Limit   Set the file size for "MacOSX" files to 10 MB so all MacOSX files that pass through the firewall are sent to WildFire for inspection. Because each firewall model has a different disk buffer size for forwarding to sandbox, increasing the maximum MacOSX file size limit may affect forwarding capacity in terms of the number of files the firewall can forward, so it's possible that not all files would be forwarded to WildFire if multiple big zero-day files are processed at same time.    You can tune the maximum size setting and observe whether there's enough buffer space to handle a higher limit. APK File Size Limit   Set the file size for APK files to 10 MB so all APK files that pass through the firewall are sent to WildFire for inspection. Because each firewall model has a different disk buffer size for forwarding to sandbox, increasing the maximum APK file size limit may affect forwarding capacity in terms of the number of files the firewall can forward, so it's possible that not all files would be forwarded to WildFire if multiple big zero-day files are processed at same time. You can tune the maximum size setting and observe whether there's enough buffer space to handle a higher limit. Archive File Size Limit   Set the maximum file size for archive files to 50 MB so all archive files that pass through the firewall are sent to WildFire for inspection. Because each firewall model has a different disk buffer size, increasing the maximum archive file size limit may affect forwarding capacity in terms of the number of files the firewall can forward, so it's possible that not all files would be forwarded to WildFire if multiple big zero-day files are processed at same time. You can tune the maximum size setting and observe whether there's enough buffer space to handle a higher limit. Flash File Size Limit   Set the file size for "flash" files to 5 MB so all flash files that pass through the firewall are sent to WildFire for inspection. Because each firewall model has a different disk buffer size for forwarding to sandbox, increasing the maximum flash file size limit may affect forwarding capacity in terms of the number of files the firewall can forward, so it's possible that not all files would be forwarded to WildFire if multiple big zero-day files are processed at same time. You can tune the maximum size setting and observe whether there's enough buffer space to handle a higher limit. Jar File Size Limit   Set the file size for "jar" files to 5 MB so all jar files that pass through the firewall are sent to WildFire for inspection. Because each firewall model has a different disk buffer size for forwarding to sandbox, increasing the maximum jar file size limit may affect forwarding capacity in terms of the number of files the firewall can forward, so it's possible that not all files would be forwarded to WildFire if multiple big zero-day files are processed at same time. You can tune the maximum size setting and observe whether there's enough buffer space to handle a higher limit. Linux File Size Limit   Set the maximum file size for Linux files to 50 MB so all Linux files that pass through the firewall are sent to WildFire for inspection. Because each firewall model has a different disk buffer size, increasing the maximum Linux file size limit may affect forwarding capacity in terms of the number of files the firewall can forward, so it's possible that not all files would be forwarded to WildFire if multiple big zero-day files are processed at same time. You can tune the maximum size setting and observe whether there's enough buffer space to handle a higher limit. MS Office File Size Limit   Set the file size for "ms-office" files to 16,384KB so all ms-office files that pass through the firewall are sent to WildFire for inspection. Because each firewall model has a different disk buffer size for forwarding to sandbox, increasing the maximum ms-office file size limit may affect forwarding capacity in terms of the number of files the firewall can forward, so it's possible that not all files would be forwarded to WildFire if multiple big zero-day files are processed at same time. You can tune the maximum size setting and observe whether there's enough buffer space to handle a higher limit. Feedback? contact us at bpaplus@paloaltonetworks.com
View full article
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Learn how to subscribe to and receive email notifications here.

Top Contributors