I am trying to understand the meaning of the default critical vulnerability action "Alert". This question was brought up by management who gets the PAN Content Update email and I want to give them an accurate answer.
For example, Adobe Flash Player Memory Corruption ID 38112 is rated as critical and, as most critical vulnerabilities, the default action is "Alert".
If I look up ID 38112 in the Vulnerability Protection Default profile the rule associated with it is "simple-client-critical" with default action Alert. The "simple-client-critical" rule itself has an action of Default. Does this mean that for anyone using the Default profile no action other than alerting would take place? In other words, they might think the PA is protecting when it's only alerting on the vulnerability?
I use my own Vulnerability Profile Rule where "simple-client-critical" has an action of "Block". This means that ID 38112 is blocked even though the email says the default action is "Alert", correct?
The Palo Alto profiles have two offerings out of the box, default and strict. From these you can also create custom profiles with actions that you prefer. These are the top level that apply then to all signatures. You assign this profile to a rule for actions to actually occur.
Objects --- Security Profiles
Inside a custom profile you an also override the action select by Palo Alto as the default action for more granular control.
The basic concept of these two profile is that default will virtually NEVER have a false positive blocking of traffic.
While strict enables a strong security posture to keep even suspected threats out,
When you chose default then you need to review and analyze reports on the alerts. And then investigate the potential issues.
When you chose strict you may get a higher volume of help desk calls, some from the false positives. But also expect people who had actual threats blocked to call and request them be let through.
So from a workflow and business perspective each organization can choose which model to use and understand where resources will be needed. Those with a low tolerance for false positive and help desk calls start default. After you investigate a number of reports you can start changing the custom default action on threats you are very comfortable outright blocking for that network in your custom profile.
Those with the higher security posture work the opposite way. Based on help desk calls you change blocking actions to alert in your custom profile by signature.
Either method can work for you as long as you commit to the correct workflow.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!