6.7 Ensure a VPP is set to block attacks against critical and high vulnerabilities, and set to default on med, low, and info vulns

Information

6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities
Configure a Vulnerability Protection Profile set to block attacks against any critical or high vulnerabilities, at minimum, and set to default on any medium, low, or informational vulnerabilities. Configuring an alert action for low and informational, instead of default, will produce additional information at the expense of greater log utilization.
Rationale:
A Vulnerability Protection Profile helps to protect assets by alerting on, or blocking, network attacks. The default action for attacks against many critical and high vulnerabilities is to only alert on the attack - not to block.

Solution

Navigate to Objects > Security Profiles > Vulnerability Protection.
Set a Vulnerability Protection Profile to block attacks against any critical or high vulnerabilities (minimum), and to default on attacks against any medium, low, or informational vulnerabilities.
Impact:
Not configuring a Vulnerability Protection Profile means that network attacks will not be logged, alerted on or blocked.
Default Value:
Two Vulnerability Protection Profiles are configured by default - "strict" and "default".

See Also

https://workbench.cisecurity.org/files/2104

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4(4)

Plugin: Palo_Alto

Control ID: 1d53c4196cd14fa4cd62216e7f606b2e29191d16e13e373368e7c7a9aa00bc1b