Best Practice Settings
File Blocking profile
that blocks files that are commonly included in malware attack campaigns or that have no real use case for upload/download. Currently, these include batch files, DLLs, Java class files, help files, Windows shortcuts (.lnk), and BitTorrent files as well as Windows Portable Executable (PE) files, which include .exe, .cpl, .dll, .ocx, .sys, .scr, .drv, .efi, .fon, and .pif files. You can allow download/upload of executables and archive files (.zip and .rar), but forces users to click continue before transferring a file to give them pause. Finally, alert on all other file types for visibility into what other file transfers are happening so that you can determine if you need to make policy changes.
Why do I need this profile?
There are many ways for attackers to deliver malicious files: As attachments or links in corporate email or in webmail, links or IMs in social media, Exploit Kits, through file sharing applications (such as FTP, Google Drive, or Dropbox), or on USB drives. Attaching a File Blocking profile reduces your attack surface by preventing these types of attacks.
What if I can’t block all of the recommended file types?
If you cannot block all PE files per the recommendation, make sure you send all unknown files to WildFire for analysis. Additionally, set the Action to continue to prevent drive-by downloads. A drive-by download is when an end user downloads content that installs malicious files, such as Java applets or executables, without knowing they are doing it. Drive-by downloads can occur when users visit web sites, view email messages, or click into pop-up windows meant to deceive them. Educate your users that if they are prompted to continue with a file transfer they didn’t knowingly initiate, they may be subject to a malicious download.
to all allowed traffic to detect and prevent viruses and malware from being transferred over the HTTP, SMTP, IMAP, POP3, FTP, and SMB protocols. The best practice Antivirus profile uses the default action when it detects traffic that matches either an Antivirus signature or a WildFire signature. The default action differs for each protocol and follows the most up-to-date recommendation from Palo Alto Networks for how to best prevent malware in each type of protocol from propagating.
By default, the firewall alerts on viruses found in SMTP traffic. However, if you don’t have a dedicated Antivirus gateway solution in place for your SMTP traffic, define a stricter action for this protocol to protect against infected email content. Use the reset-both action to return a 541 response to the sending SMTP server to prevent it from resending the blocked message.
Why do I need this profile?
By attaching Antivirus profiles to all Security rules you can block known malicious files (malware, ransomware bots, and viruses) as they are coming into the network. Common ways for users to receive malicious files include malicious attachments in email, links to download malicious files, or silent compromise with Exploit Kits that exploit a vulnerability and then automatically deliver malicious payloads to the end user.
Vulnerability Protection profile
to all allowed traffic to protect against buffer overflows, illegal code execution, and other attempts to exploit client- and server-side vulnerabilities. The best practice profile is a clone of the predefined Strict profile, with packet capture settings enabled to help you track down the source of any potential attacks.
Why do I need this profile?
Without strict vulnerability protection, attackers can leverage client- and server-side vulnerabilities to compromise end-users. For example, an attacker could leverage a vulnerability to install malicious code on client systems or use an Exploit Kit (
Angler, Nuclear, Fiesta, KaiXin) to automatically deliver malicious payloads to the end user. Vulnerability Protection profiles also prevent an attacker from using vulnerabilities on internal hosts to move laterally within your network.
to all allowed traffic to detect command and control traffic (C2) initiated from spyware installed on a server or endpoint and prevents compromised systems from establishing an outbound connection from your network. The best practice Anti-Spyware profile resets the connection when the firewall detects a medium, high, or critical severity threat and blocks or sinkholes any DNS queries for known malicious domains.
To create this profile, clone the predefined strict profile and make sure to
enable DNS sinkhole
and packet capture to help you track down the endpoint that attempted to resolve the malicious domain. For the best possible protection, enable passive DNS monitoring, which enables the firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for analysis in order to improve threat intelligence and threat prevention capabilities.
As a best practice, use PAN-DB
to prevent access to web content that is at high-risk for being malicious. Attach a
URL Filtering profile
to all rules that allow access to web-based applications to protect against URLs that have been observed hosting malware or exploitive content.
The best practice URL Filtering profile sets all known dangerous URL categories to block. These include command-and-control, malware, phishing, dynamic DNS, unknown, proxy-avoidance-and-anonymizers, extremism, copyright-infringement, and parked. Failure to block these dangerous categories puts you at risk for exploit infiltration, malware download, command and control activity, and data exfiltration.
In addition to blocking known bad categories, you should also alert on all other categories so that you have visibility into the sites your users are visiting. If you need to phase in a block policy, set categories to continue and
create a custom response page
to educate users on your acceptable use policies and alert them to the fact that they are visiting a site that may pose a threat. This will pave the way for you to outright block the categories after a monitoring period.
What if I can’t block all of the recommended categories?
If you find that users need access to sites in the blocked categories, consider creating an allow list for just the specific sites, if you feel the risk is justified. Allowing traffic to a recommended block category poses the following risks:
—Command-and-control URLs and d o mains used by malware and/or compromised systems to surreptitiously communicate with an attacker’s remote server to receive malicious commands or exfiltrate data.
—Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
—Known to host credential phishing pages or phishing for personal identification.
—Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
—Sites that have not yet been identified by PAN-DB, perhaps because they were just registered. However, oftentimes these are sites that are generated by domain generation algorithms and are later found to exhibit malicious behavior.
—URLs and services often used to bypass content filtering products.
—Domains with illegal content, such as content that allows illegal download of software or other intellectual property. This category was introduced to enable adherence to child protection laws required in the education industry, as well as laws in countries that require internet access providers to prevent usrs from shring copyrighted material through their service.
—Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions, or other beliefs. This category was introduced to enable adherence to child protection laws required in the education sector.
—Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
While the rest of the best practice security profiles significantly reduce the attack surface on your network by detecting and blocking known threats, the threat landscape is ever changing and the risk of unknown threats lurking in the files we use daily—PDFs, Microsoft Office documents (.doc and .xls files)—is ever growing. And, because these unknown threats are increasingly sophisticated and targeted, they often go undetected until long after a successful attack. To protect your network from unknown threats, you must configure the firewall to forward files to WildFire for analysis. Without this protection, attackers have free reign to infiltrate your network and exploit vulnerabilities in the applications your employees use everyday. Because WildFire protects against unknown threats, it is your greatest defense against advanced persistent threats (APTs).
The best practice
WildFire Analysis profile
sends all files in both directions (upload and download) to WildFire for analysis. Specifically, make sure you are sending all PE files (if you’re not blocking them per the file blocking best practice), Adobe Flash and Reader files (PDF, SWF), Microsoft Office files (PowerPoint, Excel, Word, RTF), Java files (Java, .CLASS), and Android files (.APK).