Selecting Appropriate Security Profile

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Selecting Appropriate Security Profile

L1 Bithead

I am planning to make a group profile of security profiles which include, Vulnerability protection , antivirus , anti spyware and wildfire analysis profile. I am planning to provide same group for every policy in firewall. I have few questions on this approach.

1. Is this a good practice , Do calling this group for every policy will increase firewall processing time, as the group contains lot of security profile?

2. Suppose vulnerability protection profile has wide verity of security scanning in it. Some are for Web traffic or some are for DB traffic. The security group I provided for every rule is same. Hence do firewall will scan web vulnerabilities for DB traffic as well. Or do the firewall has the intelligence to scan only scan what in scope. or simply ignore unnecessary check even though it is included in rule profile?

 

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello there.


It is recommended to apply a group profile to all rules that are allowed (no need to do it for drop/discard policies)
I would recommend you name the group to be called "default", so that when you create new policies, the FW will automatically associate that "default" group profile into your new rule. May not save too much time, but a few seconds is good. 😛

 

The FW is intelligent to scan what is in scope and ignore what is not needed.

Help the community: Like helpful comments and mark solutions

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello there.


It is recommended to apply a group profile to all rules that are allowed (no need to do it for drop/discard policies)
I would recommend you name the group to be called "default", so that when you create new policies, the FW will automatically associate that "default" group profile into your new rule. May not save too much time, but a few seconds is good. 😛

 

The FW is intelligent to scan what is in scope and ignore what is not needed.

Help the community: Like helpful comments and mark solutions

Hi @SCantwell_IM ,

Thank you so much.  This helped.

  • 1 accepted solution
  • 864 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!