Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Threat prevention subscription

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Threat prevention subscription

L4 Transporter

Is anyone using the threat prevention subscription and how are they configuring it?  I know that there are things I want to block but currently I have only set it to alert. What is the best way to configure the security profiles to get the best result?

7 REPLIES 7

L4 Transporter

Hi

Did You read https://live.paloaltonetworks.com/docs/DOC-3094

Please also think about Tips & Tricks: Using DNS Sinkhole to find Malicious Clients

How to Configure DNS Sinkhole

and of course CVE-2015-1635 and SSL decryption - is needed?

My Volnureability Ptorection Profile looks like:

2015-05-06_084113.png

and it's atached to security policy that allow users access to internet.

Regards

Slawek

Thanks yes I read that documentation and thanks for sharing the configuration of yours with me. Have you had any issues with blocking false positives

I'm glad that I can help You.

Of course yes I had. This is normal situation - You must consider it. Read this community and You will see from time to time peopleas complaining about updates that was replaced in couples of hours by new version and so on.

Regards

Slawek

L4 Transporter

Hi,

In my experience, I found it easier to configure a more aggressive profile for the DMZ because the traffic is much more predictable than what I see coming from inside the network. I work in a university and students use a lot of applications. Putting the action to alert is a good way to start. Eventually, you will see in the logs what you really want to block.

Benjamin

I took work at a university haven't really focused on the DMZ just trying to start the testing of the best method to approach the threat prevention. Just curious what In the logs keyed you in on what to block?

I have a daily report of all the threats and their repeat count. I focus mostly on the critical and high severity threats, and I tend to spend more time on exploit kits and command and control traffic. I enable packet capture for most threats, so I can more easily find out if it's a false positive or not. I also like to tune the brute-force attack settings to block attackers while letting legitimate users in.

Benjamin

I will try that thanks

  • 2981 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!