6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic

Information

For any security rule allowing traffic, apply a securely configured Vulnerability Protection Profile. Careful analysis of the target environment should be performed before implementing this configuration, as outlined by PAN's 'Threat Prevention Deployment Tech Note' in the references section.

Rationale:

A Vulnerability Protection Profile helps to protect assets by alerting on, or blocking network attacks. By applying a secure Vulnerability Protection Profile to all security rules permitting traffic, all network traffic traversing the firewall will be inspected for attacks. This protects both organizational assets from attack and organizational reputation from damage.

Note that encrypted sessions do not allow for complete inspection.

Impact:

Not configuring a Vulnerability Protection Profile means that network attacks will not be logged, alerted on or blocked.

Solution

Navigate to Policies > Security.
For each Policy, under the Actions tab, select Vulnerability Protection.
Set it to use either the 'Strict' or the 'Default' profile, or a custom profile that complies with the organization's policies, legal and regulatory requirements.

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/17915

Item Details

Category: RISK ASSESSMENT

References: 800-53|RA-5, CSCv7|3.1

Plugin: Palo_Alto

Control ID: fc295c999eaa960cdcb3cf09bd9cb3fd4202a14c532152476eaf149f66ae8818