01-12-2012 07:23 PM
Just went throught the PA administrator 4.1 guide and there isent much regarding how to use the IPS/IDS system. I have a spare PA-200 at the shop and wanted to learn more on how to use the IPS/IDS system and Wildfire. Can someone direct me to the right direction?
RW
01-13-2012 02:28 PM
There is a good video on threat management that you can review: https://live.paloaltonetworks.com/videos/1068.
Thanks.
01-14-2012 03:20 PM
Admin Guide has some coverage, but here's a 12 minute video with some coverage on how to configure IPS, aka Vulnerability Protection profiles.
01-25-2013 07:52 AM
Is there any document on recommendations on enabling IPS on internal to internal zones? I've seen a lot of false positives using both default and strict. (as it's normal Windows type traffic...)
I was told one exists but can't find it.
01-27-2013 08:42 AM
Using IPS is a classic chickenrace.
You will never get 0% false-positives so it depends if you wish to protect your golden eggs (with a 95% or so probability to find bad traffic) but at the same time risk that some good traffic will be blocked aswell or do you want to allow all good traffic and by that allow 100% bad traffic aswell?
A good default setting to find most bad stuff and at the same time lower probability of false positives is to use this setup as a start:
critical: block
high: block
medium: block
low: default
information: default
and then activealy monitor your logs to whitelist any verified false positives.
An example (in informational which has default alert) is urls in pdf files. Today not uncommon, but at the same time a high probability that a bad pdf will contain urls. So blocking this would probably give you a high rate of false positives but at the same time, if you know that NO pdf's within your organisation should contain urls then you could put this particular threatid into block instead of alert.
As a starter you could of course put all levels to alert mode and then followup each day to identify at least how many critical, high and medium threats you have today before you put them into block default.
01-28-2013 01:52 AM
Wish it was that simple, what I was looking for is a more granular paper on how to best implement IPS in an internal environment. What I would see if I did above recommendation would be a lot of traffic blocked, why I'm not sure but I see a lot of "brute" force attempts which isn't actually brute force attempts (Windows and Sharepoint, SMB Fragment Packet Found +Microsoft ASP .NET Information Leak Brute-force attempt).
If there isn't a white paper on it, I'm guessing I've got to create a blank paper and work from there. Was hoping that it wasn't going to be that work intense to get a basic cover.
Cheers
A.
01-28-2013 01:52 AM
Wish it was that simple, what I was looking for is a more granular paper on how to best implement IPS in an internal environment. What I would see if I did above recommendation would be a lot of traffic blocked, why I'm not sure but I see a lot of "brute" force attempts which isn't actually brute force attempts (Windows and Sharepoint, SMB Fragment Packet Found +Microsoft ASP .NET Information Leak Brute-force attempt).
If there isn't a white paper on it, I'm guessing I've got to create a blank paper and work from there. Was hoping that it wasn't going to be that work intense to get a basic cover.
Cheers
A.
01-28-2013 10:41 AM
If you use these settings nothing will be blocked but you would need to look through your logs to find the bad traffic:
critical: alert
high: alert
medium: alert
low: alert
information: alert
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
