6.2 Ensure a secure antivirus profile is applied to all relevant security policies

Information

Create a secure antivirus profile and apply it to all security policies that could pass HTTP, SMTP, IMAP, POP3, FTP, or SMB traffic. The antivirus profile may be applied to the security policies directly or through a profile group.
Rationale:
By applying a secure antivirus profile to all applicable traffic, the threat of malware propagation through the firewall is greatly reduced. Without an antivirus profile assigned to any potential hostile zone, the first protection in the path against malware is removed, leaving in most cases only the desktop endpoint protection application to detect and remediate any potential malware.

Solution

Navigate to Objects > Security Profiles > Antivirus Policies > Security.
Set an Antivirus profile for all security policies passing traffic - regardless of protocol.
Ensure each Decoder contains Action set to Block and Wildfire Action set to Block.
Set the Source Zone to INSIDE and Source Address to ANY.
Set the Destination Zone to OUTSIDE and Destination Address to ANY.
Set Application to ANY.
Set Service to ANY.
Set Action to checked.
Set Profile to Block All-AV.

See Also

https://workbench.cisecurity.org/files/1664

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3a., CSCv6|8.5

Plugin: Palo_Alto

Control ID: bf8f1f8bbaa5f60ae5fea48ea01b01d212781db53bb170cc810af637fef41021