Best practices to configure Policy Rules in regards to servers

CraigV123 · ‎02-12-2020

Hello!

I'm reaching out there to see if there are any best practices or recommendations in regards to servers and how to build out a successful Policy Rule plan to incorporate Reporting Only AND Blocking.

The intent is to have new servers enter the Report Only policy for a couple of weeks then transition them to a blocking/enforcement policy after that. The goal would be to automate this as much as possible but I understand there'd have to be some manual intervention.

Has this been done before by anyone else? Or are there other recommendations out there?

Thanks in advance!

dfalcon · ‎04-02-2020

Hi there,

To my knowledge, there is no best practice documentation out there that covers this. If it were me, I would leverage the report only mode for a few days on machines that are in active use. There are three main areas where I would focus. Malware, BTP, and Exploit. Malware is black and white - this gives you a chance for WIldFire and Local Analysis to make verdicts without doing prevention. Exploit, on the other hand is not so black and white; however, it is not as complicated as it was in the past. Out of the box, the product injects into commonly exploited processes and looks for different techniques. For the most part, these are tuned. If you elect to protect additional processes, reporting mode is important to see if you need to do any tuning. BTP is looking at causality chains -- or sequences of events -- to determine if a sequence of events is bad. Same goes here - I would leverage report mode for a few days to verify these scenarios.

All that being said, putting machines is report mode can show you what would have been prevented to allow you to tune prior to cutting over to block. If the machines are actively being used, I would leave them in report mode for only a few days.

David Falcon
Senior Solutions Architect, Cortex
Palo Alto Networks®

View solution in original post

dfalcon · ‎04-02-2020

Hi there,

To my knowledge, there is no best practice documentation out there that covers this. If it were me, I would leverage the report only mode for a few days on machines that are in active use. There are three main areas where I would focus. Malware, BTP, and Exploit. Malware is black and white - this gives you a chance for WIldFire and Local Analysis to make verdicts without doing prevention. Exploit, on the other hand is not so black and white; however, it is not as complicated as it was in the past. Out of the box, the product injects into commonly exploited processes and looks for different techniques. For the most part, these are tuned. If you elect to protect additional processes, reporting mode is important to see if you need to do any tuning. BTP is looking at causality chains -- or sequences of events -- to determine if a sequence of events is bad. Same goes here - I would leverage report mode for a few days to verify these scenarios.

All that being said, putting machines is report mode can show you what would have been prevented to allow you to tune prior to cutting over to block. If the machines are actively being used, I would leave them in report mode for only a few days.

David Falcon
Senior Solutions Architect, Cortex
Palo Alto Networks®

CraigV123 · ‎04-16-2020

This is great advice and I appreciate the response. I think this is sorta what we were gearing towards but I greatly appreciate the clarification on it.

Best practices to configure Policy Rules in regards to servers

Best practices to configure Policy Rules in regards to servers

Show your appreciation!