Threat Prevention Profiles
paloalto security threat-prevention profiles
Overview
Threat Prevention in Palo Alto consists of multiple profile types that work together to inspect and block malicious traffic.
| Profile Type | Purpose |
|---|---|
| Antivirus | Detects malware, viruses in files/traffic |
| Anti-Spyware | Detects spyware, C2 traffic, DNS-based threats |
| Vulnerability Protection | Blocks exploits against known CVEs |
| File Blocking | Controls file transfers by type |
| WildFire Analysis | Sandbox analysis of unknown files |
Profile Configuration
Antivirus Profile
CLI - View:
show profiles virus
show running security-policy
Recommended Actions:
| Decoder | Action | Notes |
|---|---|---|
| FTP | reset-both | Block malware over FTP |
| HTTP | reset-both | Block malware downloads |
| IMAP/POP3/SMTP | reset-both | Block email-borne malware |
| SMB | reset-both | Block lateral movement |
WildFire Integration:
- Forward unknown files to WildFire for analysis
- Set action for WildFire verdict
Anti-Spyware Profile
Severity-Based Actions:
| Severity | Recommended Action |
|---|---|
| Critical | reset-both, alert |
| High | reset-both, alert |
| Medium | reset-both or alert |
| Low | default or alert |
| Informational | default |
DNS Sinkhole: Enable to redirect DNS queries for known malicious domains:
set profiles spyware <name> botnet-domains sinkhole ipv4-address <sinkhole-ip>
set profiles spyware <name> botnet-domains sinkhole ipv6-address <sinkhole-ipv6>
Common sinkhole IPs:
- Palo Alto default:
72.5.65.111(sinkhole.paloaltonetworks.com) - Custom internal sinkhole for tracking
DNS Security Categories:
| Category | Description |
|---|---|
| Command and Control | Known C2 domains |
| Malware | Malware distribution |
| Phishing | Phishing sites |
| Dynamic DNS | DynDNS services (often abused) |
| Newly Registered Domains | Recently registered (< 32 days) |
| Grayware | Adware, PUPs |
Vulnerability Protection Profile
Severity-Based Actions:
| Severity | Recommended Action |
|---|---|
| Critical | reset-both, block-ip |
| High | reset-both |
| Medium | reset-both or default |
| Low | default |
| Informational | default |
CVE Exemptions: For false positives or specific business needs:
set profiles vulnerability <name> rules <rule-name> threat-id <ID> action allow
Block IP Feature: Automatically block source IP after attack detection:
- Track by: source, source-and-destination
- Duration: 60-3600 seconds
File Blocking Profile
Common Rules:
| File Type | Direction | Action | Use Case |
|---|---|---|---|
| exe, dll, scr | download | block | Prevent executable downloads |
| exe, dll, scr | upload | alert | Monitor exfiltration |
| bat, cmd, ps1 | both | block | Block scripts |
| torrent | both | block | Block P2P |
| encrypted-zip | both | alert | Monitor encrypted archives |
File Types of Interest:
| Category | Types |
|---|---|
| Executables | exe, dll, scr, msi, jar, class |
| Scripts | bat, cmd, ps1, vbs, js, hta |
| Documents | doc, docx, xls, xlsx, pdf (for WildFire) |
| Archives | zip, rar, 7z, tar, gz |
| Dangerous | torrent, encrypted-zip, encrypted-rar |
WildFire Analysis Profile
Forwarding Rules:
| Application | File Types | Direction |
|---|---|---|
| web-browsing | All supported | download |
| ftp | All supported | both |
| smtp | All supported | both |
Analysis Environment:
- Public Cloud: Files sent to Palo Alto WildFire
- Private Cloud (WF-500): On-premises analysis
- Hybrid: Sensitive files local, others public
Verdict Actions:
| Verdict | Recommended Action |
|---|---|
| Malware | reset-both |
| Grayware | alert (or reset-both) |
| Phishing | reset-both |
Security Profile Groups
Combine profiles into groups for easier policy attachment:
set profile-group <group-name> virus <av-profile>
set profile-group <group-name> spyware <as-profile>
set profile-group <group-name> vulnerability <vp-profile>
set profile-group <group-name> file-blocking <fb-profile>
set profile-group <group-name> wildfire-analysis <wf-profile>
Best Practice Groups:
| Group Name | Use Case | Profiles |
|---|---|---|
| Strict | High-security zones | All profiles, block actions |
| Standard | General internal | All profiles, alert on medium |
| Alert-Only | Monitoring/testing | All profiles, alert actions only |
CLI Commands
View Profiles
# List all profiles
show profiles virus
show profiles spyware
show profiles vulnerability
show profiles file-blocking
show profiles wildfire-analysis
# View specific profile
show profiles virus <name>
# Show profile groups
show profile-groupView Threat Logs
# Recent threat events
show log threat
# Filter by severity
show log threat severity critical
# Filter by action
show log threat action reset-both
# Filter by threat type
show log threat type virus
show log threat type spyware
show log threat type vulnerabilityThreat Statistics
# Threat summary
show threat statistics
# Top threats
show threat statistics top-threats
# By category
show threat statistics category virusTroubleshooting
Profile Not Applied
# Verify profile attached to rule
show running security-policy | match profile
# Check rule hit count
show rule-hit-count vsys <vsys> security rules allFalse Positives
-
Check threat ID in logs:
show log threat threatid <ID> -
Research threat ID:
-
Create exception if legitimate:
- Add threat-id exemption to profile
- Or create pre-rule to allow specific traffic
WildFire Not Analyzing
# Check WildFire connectivity
show wildfire status
# Check submission stats
show wildfire statistics
# Test WildFire
test wildfire registrationBest Practices
- Start with alert-only - Monitor before blocking
- Use profile groups - Easier management
- Enable logging on all - For visibility
- Review threat logs regularly - Tune based on findings
- Keep signatures updated - Dynamic updates enabled
- Enable DNS Security - Catch DNS-based threats
- Forward to WildFire - Unknown file analysis