When you setup your security rule make it as tight as possible.
In this particular case I guess web-browsing would be the proper appid to use (look at http://apps.paloaltonetworks.com/applipedia/ for available appid's unless you have access to a PA-device) along with "application-default" as service (or even better set a manual port/ports for this, such as TCP80), like so:
appid: web-browsing
service: TCP80
action: allow
The above is plain SPI (stateful packet inspection, regarding the service option) with the addition of applicationfirewalling (regarding the appid option).
Now - for added security you should enable vulnerability protection aswell.
A common setup for vulnprotection is to use following setup:
critical: block
high: block
medium: block
low: default
informational: default
You can set low and informational to block aswell however default is the recommended in order to lower risk of false-positives (default means that default action (either allow or block) will be applied according to the default specificed by PA themselfs).
In order to find out if the IDP function of PA-device will be able to spot the vuln you linked to you can search in http://wwapps.paloaltonetworks.com/ThreatVault/
Since your link doesnt have CVE info I can only guess which of the following detectable threats is the one mentioned in your link:
34765 | JBoss Java Class BeanShellDeployer Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
34764 | JBoss Java Class MainDeployer Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
34763 | JBoss Server 7 Web Management Console War File Deployment | medium | |
34509 | JBoss Java Class Security Bypass Vulnerability | high | CVE-2010-0738 |
33561 | JBoss JMX Java Class DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2010-0738 |
33547 | JBoss JMX Console DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2010-0738 |
33268 | JBoss Java Class DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
You can click on each id to see a more detailed explanation of what the current vuln is about along with references etc.
Then you can take this a few steps further (depending on needs etc).
For example only allow identified users to be let through your PA-device (using userid function) or you can allow a particular sourceip (and if connected to internet you can also allow based on country or for that matter block specific countries (note however that geoip isnt foolproof but can be helpful to get rid of most of the bad hosts who tries to connect to your resources).
When you setup your security rule make it as tight as possible.
In this particular case I guess web-browsing would be the proper appid to use (look at http://apps.paloaltonetworks.com/applipedia/ for available appid's unless you have access to a PA-device) along with "application-default" as service (or even better set a manual port/ports for this, such as TCP80), like so:
appid: web-browsing
service: TCP80
action: allow
The above is plain SPI (stateful packet inspection, regarding the service option) with the addition of applicationfirewalling (regarding the appid option).
Now - for added security you should enable vulnerability protection aswell.
A common setup for vulnprotection is to use following setup:
critical: block
high: block
medium: block
low: default
informational: default
You can set low and informational to block aswell however default is the recommended in order to lower risk of false-positives (default means that default action (either allow or block) will be applied according to the default specificed by PA themselfs).
In order to find out if the IDP function of PA-device will be able to spot the vuln you linked to you can search in http://wwapps.paloaltonetworks.com/ThreatVault/
Since your link doesnt have CVE info I can only guess which of the following detectable threats is the one mentioned in your link:
34765 | JBoss Java Class BeanShellDeployer Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
34764 | JBoss Java Class MainDeployer Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
34763 | JBoss Server 7 Web Management Console War File Deployment | medium | |
34509 | JBoss Java Class Security Bypass Vulnerability | high | CVE-2010-0738 |
33561 | JBoss JMX Java Class DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2010-0738 |
33547 | JBoss JMX Console DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2010-0738 |
33268 | JBoss Java Class DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
You can click on each id to see a more detailed explanation of what the current vuln is about along with references etc.
Then you can take this a few steps further (depending on needs etc).
For example only allow identified users to be let through your PA-device (using userid function) or you can allow a particular sourceip (and if connected to internet you can also allow based on country or for that matter block specific countries (note however that geoip isnt foolproof but can be helpful to get rid of most of the bad hosts who tries to connect to your resources).
