Threat Prevention Profiles

paloalto security threat-prevention profiles


Overview

Threat Prevention in Palo Alto consists of multiple profile types that work together to inspect and block malicious traffic.

Profile TypePurpose
AntivirusDetects malware, viruses in files/traffic
Anti-SpywareDetects spyware, C2 traffic, DNS-based threats
Vulnerability ProtectionBlocks exploits against known CVEs
File BlockingControls file transfers by type
WildFire AnalysisSandbox analysis of unknown files

Profile Configuration

Antivirus Profile

CLI - View:

show profiles virus
show running security-policy

Recommended Actions:

DecoderActionNotes
FTPreset-bothBlock malware over FTP
HTTPreset-bothBlock malware downloads
IMAP/POP3/SMTPreset-bothBlock email-borne malware
SMBreset-bothBlock lateral movement

WildFire Integration:

  • Forward unknown files to WildFire for analysis
  • Set action for WildFire verdict

Anti-Spyware Profile

Severity-Based Actions:

SeverityRecommended Action
Criticalreset-both, alert
Highreset-both, alert
Mediumreset-both or alert
Lowdefault or alert
Informationaldefault

DNS Sinkhole: Enable to redirect DNS queries for known malicious domains:

set profiles spyware <name> botnet-domains sinkhole ipv4-address <sinkhole-ip>
set profiles spyware <name> botnet-domains sinkhole ipv6-address <sinkhole-ipv6>

Common sinkhole IPs:

  • Palo Alto default: 72.5.65.111 (sinkhole.paloaltonetworks.com)
  • Custom internal sinkhole for tracking

DNS Security Categories:

CategoryDescription
Command and ControlKnown C2 domains
MalwareMalware distribution
PhishingPhishing sites
Dynamic DNSDynDNS services (often abused)
Newly Registered DomainsRecently registered (< 32 days)
GraywareAdware, PUPs

Vulnerability Protection Profile

Severity-Based Actions:

SeverityRecommended Action
Criticalreset-both, block-ip
Highreset-both
Mediumreset-both or default
Lowdefault
Informationaldefault

CVE Exemptions: For false positives or specific business needs:

set profiles vulnerability <name> rules <rule-name> threat-id <ID> action allow

Block IP Feature: Automatically block source IP after attack detection:

  • Track by: source, source-and-destination
  • Duration: 60-3600 seconds

File Blocking Profile

Common Rules:

File TypeDirectionActionUse Case
exe, dll, scrdownloadblockPrevent executable downloads
exe, dll, scruploadalertMonitor exfiltration
bat, cmd, ps1bothblockBlock scripts
torrentbothblockBlock P2P
encrypted-zipbothalertMonitor encrypted archives

File Types of Interest:

CategoryTypes
Executablesexe, dll, scr, msi, jar, class
Scriptsbat, cmd, ps1, vbs, js, hta
Documentsdoc, docx, xls, xlsx, pdf (for WildFire)
Archiveszip, rar, 7z, tar, gz
Dangeroustorrent, encrypted-zip, encrypted-rar

WildFire Analysis Profile

Forwarding Rules:

ApplicationFile TypesDirection
web-browsingAll supporteddownload
ftpAll supportedboth
smtpAll supportedboth

Analysis Environment:

  • Public Cloud: Files sent to Palo Alto WildFire
  • Private Cloud (WF-500): On-premises analysis
  • Hybrid: Sensitive files local, others public

Verdict Actions:

VerdictRecommended Action
Malwarereset-both
Graywarealert (or reset-both)
Phishingreset-both

Security Profile Groups

Combine profiles into groups for easier policy attachment:

set profile-group <group-name> virus <av-profile>
set profile-group <group-name> spyware <as-profile>
set profile-group <group-name> vulnerability <vp-profile>
set profile-group <group-name> file-blocking <fb-profile>
set profile-group <group-name> wildfire-analysis <wf-profile>

Best Practice Groups:

Group NameUse CaseProfiles
StrictHigh-security zonesAll profiles, block actions
StandardGeneral internalAll profiles, alert on medium
Alert-OnlyMonitoring/testingAll profiles, alert actions only

CLI Commands

View Profiles

# List all profiles
show profiles virus
show profiles spyware
show profiles vulnerability
show profiles file-blocking
show profiles wildfire-analysis
 
# View specific profile
show profiles virus <name>
 
# Show profile groups
show profile-group

View Threat Logs

# Recent threat events
show log threat
 
# Filter by severity
show log threat severity critical
 
# Filter by action
show log threat action reset-both
 
# Filter by threat type
show log threat type virus
show log threat type spyware
show log threat type vulnerability

Threat Statistics

# Threat summary
show threat statistics
 
# Top threats
show threat statistics top-threats
 
# By category
show threat statistics category virus

Troubleshooting

Profile Not Applied

# Verify profile attached to rule
show running security-policy | match profile
 
# Check rule hit count
show rule-hit-count vsys <vsys> security rules all

False Positives

  1. Check threat ID in logs:

    show log threat threatid <ID>
  2. Research threat ID:

  3. Create exception if legitimate:

    • Add threat-id exemption to profile
    • Or create pre-rule to allow specific traffic

WildFire Not Analyzing

# Check WildFire connectivity
show wildfire status
 
# Check submission stats
show wildfire statistics
 
# Test WildFire
test wildfire registration

Best Practices

  1. Start with alert-only - Monitor before blocking
  2. Use profile groups - Easier management
  3. Enable logging on all - For visibility
  4. Review threat logs regularly - Tune based on findings
  5. Keep signatures updated - Dynamic updates enabled
  6. Enable DNS Security - Catch DNS-based threats
  7. Forward to WildFire - Unknown file analysis