Detections
Analytics
6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities
Information
Configure a Vulnerability Protection Profile set to block attacks against any critical or high vulnerabilities, at minimum, and set to default on any medium, low, or informational vulnerabilities. Configuring an alert action for low and informational, instead of default, will produce additional information at the expense of greater log utilization.Rationale:
A Vulnerability Protection Profile helps to protect assets by alerting on, or blocking, network attacks. The default action for attacks against many critical and high vulnerabilities is to only alert on the attack - not to block.
Solution
Navigate to Objects > Security Profiles > Vulnerability Protection.Set a Vulnerability Protection Profile to block attacks against any critical or high vulnerabilities (minimum), and to default on attacks against any medium, low, or informational vulnerabilities.
Impact:
Not configuring a Vulnerability Protection Profile means that network attacks will not be logged, alerted on or blocked.
Default Value:
Two Vulnerability Protection Profiles are configured by default - 'strict' and 'default'.
References:
'Threat Prevention Deployment Tech Note' - https://live.paloaltonetworks.com/docs/DOC-3094
'PAN-OS Administrator's Guide 9.0 (English) - Security Profiles' - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles.html
See Also
Item Details
Audit Name: CIS Palo Alto Firewall 9 Benchmark v1.0.0 L1
References: CSCv6|8.5, CSCv6|12.3, CSCv6|12.4, CSCv7|8, CSCv7|12.7
Plugin: Palo_Alto
Control ID: 8dbd9d3f90e1711eb0fc62efaa5fa2c7ed7b872878f8d653450db11b1fd61208