Threat Prevention - IPS features

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Threat Prevention - IPS features

Hi, 

 

Can we enable IPS features on a particular sub-interface/zone in Palo alto so that it gets applied to all traffic that enters through that particular sub-interface? 

 

 

From the little reading which i did, i am seeing it as configuring it in security profiles and applying the profile under individual security policy.

 

I particularly ask for a sub-interface because the environment which i am planning to implement IPS will have a single aggregated link thorugh which all VLAN traffic would be sent/received. 

 

I am new to Palo Alto and also to IPS and trying to figure out if there are any features for enabling IPS policies in a particular sub-interface. 


Accepted Solutions
Highlighted
L4 Transporter

If you are referring to Security Profiles, those are only applied at the policy level. This is done so that you can have granular control of which profile is applied to specific traffic.

There are other policies that you can apply at the zone or interface level, Zone Protection Profiles and DoS protection, but those don't serve the same purpose.

View solution in original post


All Replies
Highlighted
L4 Transporter

If you are referring to Security Profiles, those are only applied at the policy level. This is done so that you can have granular control of which profile is applied to specific traffic.

There are other policies that you can apply at the zone or interface level, Zone Protection Profiles and DoS protection, but those don't serve the same purpose.

View solution in original post

Highlighted
Cyber Elite

@MGRashmi,

By default you will be creating security profiles to allow any traffic to actually pass, which you would then include security profiles to trigger the IPS functions. If you happen to have a large amount of intrazone traffic in your environment where this doesn't necissary stay true you have two options. 

 

1) Override the default intrazone-default policy to deny, and then build out the necissary security rulebase entries to allow this traffic while assigning security profiles to these rules. 

2) If you don't wish to override the default policy to deny, you can still override the profile setting to utilize security profiles on the intrazone-default entry. 

 

 

Highlighted
L2 Linker

Thanks for your response. I am now clear with the security profiles vs those that can be applied at zone level. 

L2 Linker

Thanks for clarifying regarding the usage of security policy at the intrazone level. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!