Detections
Analytics
7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
Information
Create a pair of security rules at the top of the security policies ruleset to block traffic to and from IP addresses known to be malicious.Note: This recommendation (as written) requires a Palo Alto 'Active Threat License'. Third Party and Open Source Threat Intelligence Feeds can also be used for this purpose.
Rationale:
Creating rules that block traffic to/from known malicious sites from Trusted Threat Intelligence Sources protects you against IP addresses that Palo Alto Networks has proven to be used almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Navigate to Policies > SecurityCreate a Security Policy similar to:
General tab: Name set to Deny to Malicious IP
Source tab: Source Zone set to Any,
Destination tab: Destination Zone set to Any, Destination Address set to Palo Alto Networks - Known malicious IP addresses
Application tab: Application set to Any
Service/URL Category tab: Service set to Any
Actions tab: Action set to Block, Profile Type set to None
Create a Security Policy similar to with:
General tab: Name set to Deny from Malicious IP
Source tab: Source Zone set to Any, Source Address set to Palo Alto Networks - Known malicious IP addresses
Destination tab: Destination Zone set to Any
Application tab: Application set to Any
Service/URL Category tab: Service set to Any
Actions tab: Action set to Block, Profile Type set to None
Note: This recommendation requires a Palo Alto 'Active Threat License'
Impact:
While not foolproof, simply blocking traffic from known malicious hosts allows more resources to be devoted to analyzing traffic from other sources for malicious content. This approach is a recommended part of most 'Defense in Depth' recommendations, allowing defenders to focus more deeply on traffic from uncategorized sources.
Default Value:
Not Configured
References:
'PAN-OS 9.0 Admin Guide: Built-in External Dynamic Lists': https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/built-in-edls.html#
'PAN-OS 9.0 Admin Guide: Create Rules Based on Trusted Threat Intelligence Sources': https://docs.paloaltonetworks.com/best-practices/9-0/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy/step-1-create-rules-based-on-trusted-threat-intelligence-sources.html#
See Also
Item Details
Audit Name: CIS Palo Alto Firewall 9 Benchmark v1.0.0 L1
References: CSCv7|7, CSCv7|8, CSCv7|12, CSCv7|12.3
Plugin: Palo_Alto
Control ID: 57ac5e73fd8c4b2ba489a4bedb7a322f57f9b7fc2061d66d5554fb8ddb43a971