Getting Started with Best Practices Templates

Reply
Highlighted
L2 Linker

Getting Started with Best Practices Templates

Hi 2 all

 

I am trying to create best practice for Vulnerability Protection and Anti-Spyware Profile with extended packet capture as desribed in

https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-internet-gateway/bes...

 

But i received warning message:

 

Operation

Commit

Status

Completed

Result

Successful

Details

  • Configuration committed successfully

Warnings

  • Warning: The action is block for rule "simple-critical" in anti-spyware profile "Best-practice and sinkhole" with extended packet capture enabled. Only the first packet will be captured.
  • Warning: The action is block for rule "simple-high" in anti-spyware profile "Best-practice and sinkhole" with extended packet capture enabled. Only the first packet will be captured.
  • Warning: The action is block for rule "simple-medium" in anti-spyware profile "Best-practice and sinkhole" with extended packet capture enabled. Only the first packet will be captured.

 

  • Warning: The action is block for rule "simple-client-critical" in vulnerability profile "Best Practice Vuln Strict Pcap" with extended packet capture enabled. Only the first packet will be captured.
  • Warning: The action is block for rule "simple-client-high" in vulnerability profile "Best Practice Vuln Strict Pcap" with extended packet capture enabled. Only the first packet will be captured.
  • Warning: The action is block for rule "simple-client-medium" in vulnerability profile "Best Practice Vuln Strict Pcap" with extended packet capture enabled. Only the first packet will be captured.
  • Warning: The action is block for rule "simple-server-critical" in vulnerability profile "Best Practice Vuln Strict Pcap" with extended packet capture enabled. Only the first packet will be captured.
  • Warning: The action is block for rule "simple-server-high" in vulnerability profile "Best Practice Vuln Strict Pcap" with extended packet capture enabled. Only the first packet will be captured.
  • Warning: The action is block for rule "simple-server-medium" in vulnerability profile "Best Practice Vuln Strict Pcap" with extended packet capture enabled. Only the first packet will be captured.
  • (Module: device)

 

Can you explain, what is wrong?


Accepted Solutions
Highlighted
Cyber Elite

Hello,

So here are my insights:

 

1. Warning should be expected when Commit?

It depends on what is configured. What the PAN does is go over the config as a self check to make sure the config is valid. For example I get a lot of these due to application dependancies. What the PAN expects is that the dependand app is in the same policy however it could be further down the list so its just a warning.

 

2. Error in the document or mismatch of versions  (8.0, not 8.1), restriction for VM-versions?

Couldt be, it would be best to open a tac case to be sure however.


3. Do I actually need extended packet capture?

It depends. Do you have a corporate need to review what is blocked at a packet level, if so then yes this will help? For us we do not have that need so we dont do the pcaps at all. If we need to we can change it at a later time. I would read up on the difference in the actions. We have ours set to Block-ip for 3600, so if we get attacked by something the PAN knows, it will block the source IP for 1 hour. I only have this enabled externally however since we could inadvertantly block legit internal traffic.

 

I hope this helps!

View solution in original post


All Replies
Highlighted
Cyber Elite

Hello,

Since the configuration committed successfully, everything looks OK from the PAN standpoint. However the reason for the additional messages is that you have extended packet capture enabled but the policy is set to block. These are not really compatible since its going to capture the first packet because the rest of them are getting blocked. If you disable the extended packet capture on the polices that are medium and higher, these warning will go away.

 

Regards,

Highlighted
L2 Linker

Thank you, Otakar.Klier

 

>If you disable the extended packet capture on the polices that are medium and higher, these warning will go away.

It works.

But i don't understand something.

In the document that I quoted, reset-both is recommended, not block.
Security Policy with these profiles allows traffic.

 

For example:

Warning: The action is block for rule "simple-critical" in anti-spyware profile "Best-practice and sinkhole" with extended packet capture enabled. Only the first packet will be captured.

 

Action is not block, but reset-both.

 

 Anti-Spyware.JPG

 

Settings are made according to the manual.

 

1. Warning should be expected when Commit?

2. Error in the document or mismatch of versions  (8.0, not 8.1), restriction for VM-versions?
3. Do I actually need extended packet capture?

Highlighted
Cyber Elite

Hello,

So here are my insights:

 

1. Warning should be expected when Commit?

It depends on what is configured. What the PAN does is go over the config as a self check to make sure the config is valid. For example I get a lot of these due to application dependancies. What the PAN expects is that the dependand app is in the same policy however it could be further down the list so its just a warning.

 

2. Error in the document or mismatch of versions  (8.0, not 8.1), restriction for VM-versions?

Couldt be, it would be best to open a tac case to be sure however.


3. Do I actually need extended packet capture?

It depends. Do you have a corporate need to review what is blocked at a packet level, if so then yes this will help? For us we do not have that need so we dont do the pcaps at all. If we need to we can change it at a later time. I would read up on the difference in the actions. We have ours set to Block-ip for 3600, so if we get attacked by something the PAN knows, it will block the source IP for 1 hour. I only have this enabled externally however since we could inadvertantly block legit internal traffic.

 

I hope this helps!

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!