7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

Information

Create a pair of security rules at the top of the security policies ruleset to block traffic to and from IP addresses known to be malicious.

Note: This recommendation (as written) requires a Palo Alto 'Active Threat License'. Third Party and Open Source Threat Intelligence Feeds can also be used for this purpose.

Rationale:

Creating rules that block traffic to/from known malicious sites from Trusted Threat Intelligence Sources protects you against IP addresses that Palo Alto Networks has proven to be used almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Navigate to Policies > Security
Create a Security Policy similar to:

General tab: Name set to Deny to Malicious IP

Source tab: Source Zone set to Any,

Destination tab: Destination Zone set to Any, Destination Address set to Palo Alto Networks - Known malicious IP addresses

Application tab: Application set to Any

Service/URL Category tab: Service set to Any

Actions tab: Action set to Block, Profile Type set to None

Create a Security Policy similar to with:

General tab: Name set to Deny from Malicious IP

Source tab: Source Zone set to Any, Source Address set to Palo Alto Networks - Known malicious IP addresses

Destination tab: Destination Zone set to Any

Application tab: Application set to Any

Service/URL Category tab: Service set to Any

Actions tab: Action set to Block, Profile Type set to None

Note: This recommendation requires a Palo Alto 'Active Threat License'

Impact:

While not foolproof, simply blocking traffic from known malicious hosts allows more resources to be devoted to analyzing traffic from other sources for malicious content. This approach is a recommended part of most 'Defense in Depth' recommendations, allowing defenders to focus more deeply on traffic from uncategorized sources.

Default Value:

Not Configured

References:

'PAN-OS 9.0 Admin Guide: Built-in External Dynamic Lists': https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/built-in-edls.html#

'PAN-OS 9.0 Admin Guide: Create Rules Based on Trusted Threat Intelligence Sources': https://docs.paloaltonetworks.com/best-practices/9-0/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy/step-1-create-rules-based-on-trusted-threat-intelligence-sources.html#

Item Details

Audit Name: CIS Palo Alto Firewall 9 Benchmark v1.0.0 L1

References: CSCv7|7, CSCv7|8, CSCv7|12, CSCv7|12.3

Plugin: Palo_Alto

Control ID: 57ac5e73fd8c4b2ba489a4bedb7a322f57f9b7fc2061d66d5554fb8ddb43a971

Detections

Analytics

7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists

Warning! Audit Deprecated

Information

Solution

See Also

Item Details