Best practices to configure Policy Rules in regards to servers

Reply
Highlighted
L2 Linker

Best practices to configure Policy Rules in regards to servers

Hello!

I'm reaching out there to see if there are any best practices or recommendations in regards to servers and how to build out a successful Policy Rule plan to incorporate Reporting Only AND Blocking. 

The intent is to have new servers enter the Report Only policy for a couple of weeks then transition them to a blocking/enforcement policy after that. The goal would be to automate this as much as possible but I understand there'd have to be some manual intervention. 

Has this been done before by anyone else? Or are there other recommendations out there? 

 

Thanks in advance! 


Accepted Solutions
Highlighted
L4 Transporter

Re: Best practices to configure Policy Rules in regards to servers

Hi there,

 

To my knowledge, there is no best practice documentation out there that covers this.  If it were me, I would leverage the report only mode for a few days on machines that are in active use.  There are three main areas where I would focus.  Malware, BTP, and Exploit.  Malware is black and white - this gives you a chance for WIldFire and Local Analysis to make verdicts without doing prevention.  Exploit, on the other hand is not so black and white; however, it is not as complicated as it was in the past.  Out of the box, the product injects into commonly exploited processes and looks for different techniques.  For the most part, these are tuned.  If you elect to protect additional processes, reporting mode is important to see if you need to do any tuning.  BTP is looking at causality chains -- or sequences of events -- to determine if a sequence of events is bad.  Same goes here - I would leverage report mode for a few days to verify these scenarios. 

 

All that being said, putting machines is report mode can show you what would have been prevented to allow you to tune prior to cutting over to block.  If the machines are actively being used, I would leave them in report mode for only a few days. 


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: Best practices to configure Policy Rules in regards to servers

Hi there,

 

To my knowledge, there is no best practice documentation out there that covers this.  If it were me, I would leverage the report only mode for a few days on machines that are in active use.  There are three main areas where I would focus.  Malware, BTP, and Exploit.  Malware is black and white - this gives you a chance for WIldFire and Local Analysis to make verdicts without doing prevention.  Exploit, on the other hand is not so black and white; however, it is not as complicated as it was in the past.  Out of the box, the product injects into commonly exploited processes and looks for different techniques.  For the most part, these are tuned.  If you elect to protect additional processes, reporting mode is important to see if you need to do any tuning.  BTP is looking at causality chains -- or sequences of events -- to determine if a sequence of events is bad.  Same goes here - I would leverage report mode for a few days to verify these scenarios. 

 

All that being said, putting machines is report mode can show you what would have been prevented to allow you to tune prior to cutting over to block.  If the machines are actively being used, I would leave them in report mode for only a few days. 


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 

View solution in original post

Highlighted
L2 Linker

Re: Best practices to configure Policy Rules in regards to servers

This is great advice and I appreciate the response. I think this is sorta what we were gearing towards but I greatly appreciate the clarification on it. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!