Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-05-2015 06:06 AM
Is anyone using the threat prevention subscription and how are they configuring it? I know that there are things I want to block but currently I have only set it to alert. What is the best way to configure the security profiles to get the best result?
05-05-2015 11:42 PM
Hi
Did You read https://live.paloaltonetworks.com/docs/DOC-3094
Please also think about Tips & Tricks: Using DNS Sinkhole to find Malicious Clients
and of course CVE-2015-1635 and SSL decryption - is needed?
My Volnureability Ptorection Profile looks like:
and it's atached to security policy that allow users access to internet.
Regards
Slawek
05-06-2015 05:29 AM
Thanks yes I read that documentation and thanks for sharing the configuration of yours with me. Have you had any issues with blocking false positives
05-06-2015 05:56 AM
I'm glad that I can help You.
Of course yes I had. This is normal situation - You must consider it. Read this community and You will see from time to time peopleas complaining about updates that was replaced in couples of hours by new version and so on.
Regards
Slawek
05-06-2015 06:45 AM
Hi,
In my experience, I found it easier to configure a more aggressive profile for the DMZ because the traffic is much more predictable than what I see coming from inside the network. I work in a university and students use a lot of applications. Putting the action to alert is a good way to start. Eventually, you will see in the logs what you really want to block.
Benjamin
05-06-2015 06:53 AM
I took work at a university haven't really focused on the DMZ just trying to start the testing of the best method to approach the threat prevention. Just curious what In the logs keyed you in on what to block?
05-10-2015 07:40 PM
I have a daily report of all the threats and their repeat count. I focus mostly on the critical and high severity threats, and I tend to spend more time on exploit kits and command and control traffic. I enable packet capture for most threats, so I can more easily find out if it's a false positive or not. I also like to tune the brute-force attack settings to block attackers while letting legitimate users in.
Benjamin
05-11-2015 05:58 AM
I will try that thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
