7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists


Create a pair of security rules at the top of the security policies ruleset to block traffic to and from IP addresses known to be malicious.

Note: This recommendation (as written) requires a Palo Alto 'Active Threat License'. Third Party and Open Source Threat Intelligence Feeds can also be used for this purpose.


Creating rules that block traffic to/from known malicious sites from Trusted Threat Intelligence Sources protects you against IP addresses that Palo Alto Networks has proven to be used almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.


While not foolproof, simply blocking traffic from known malicious hosts allows more resources to be devoted to analyzing traffic from other sources for malicious content. This approach is a recommended part of most 'Defense in Depth' recommendations, allowing defenders to focus more deeply on traffic from uncategorized sources.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Navigate to Policies > Security
Create a Security Policy similar to:

General tab: Name set to Deny to Malicious IP

Source tab: Source Zone set to Any,

Destination tab: Destination Zone set to Any, Destination Address set to Palo Alto Networks - Known malicious IP addresses

Application tab: Application set to Any

Service/URL Category tab: Service set to Any

Actions tab: Action set to Block, Profile Type set to None

Create a Security Policy similar to with:

General tab: Name set to Deny from Malicious IP

Source tab: Source Zone set to Any, Source Address set to Palo Alto Networks - Known malicious IP addresses

Destination tab: Destination Zone set to Any

Application tab: Application set to Any

Service/URL Category tab: Service set to Any

Actions tab: Action set to Block, Profile Type set to None

Note: This recommendation requires a Palo Alto 'Active Threat License'

Default Value:

Not Configured

See Also
