6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic

Information

For any security rule allowing traffic, apply a securely configured Vulnerability Protection Profile. Careful analysis of the target environment should be performed before implementing this configuration, as outlined by PAN's 'Threat Prevention Deployment Tech Note' in the references section.
Rationale:
A Vulnerability Protection Profile helps to protect assets by alerting on, or blocking network attacks. By applying a secure Vulnerability Protection Profile to all security rules permitting traffic, all network traffic traversing the firewall will be inspected for attacks. This protects both organizational assets from attack and organizational reputation from damage.
Note that encrypted sessions do not allow for complete inspection.

Solution

Navigate to Policies > Security.
Under the Actions tab, select Vulnerability Protection.
Set it to use either the 'Strict' or the 'Default' profile.
Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4(4), CSCv6|8.5, CSCv6|12.3

Plugin: Palo_Alto

Control ID: 9bce9de480d20d4c7761f187deb3b8f19d6132507d111fb1ceee4a7d33df1564