Professional Documents
Culture Documents
Threat Prevention Deployment TechNote Version 3.0 RevA
Threat Prevention Deployment TechNote Version 3.0 RevA
Threat Prevention Deployment TechNote Version 3.0 RevA
Tech Note
PAN-OS 7.0
Command Actions on
Reconnaissance Weaponization Delivery Exploitation Installation
and Control Objectives
For a more detailed overview of the kill-chain principle, the following document is available:
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-
Defense.pdf
Command Actions on
Delivery Exploitation Installation
and Control Objectives
Some applications will also contain a number of application functions. For example, the application Facebook has
application functions such as facebook-base, facebook-chat, facebook-mail, facebook-posting, etc. In order to
enforce proper security policies, it may be required to only allow certain applications functions instead of the
complete application.
Kill-Chain
Command Actions on
Delivery Exploitation Installation
and Control Objectives
App-ID can play an important role during several stages of the Kill-Chain. It can disrupt the Delivery stage by
blocking user access to applications that are commonly used for targeted delivery such as social media sites,
personal webmail and file-sharing applications. During the application identification process, it can also provide SSL
decryption to avoid inspection bypass for encrypted content and applications.
One particular feature of App-ID is its ability to classify unknown traffic as unknown-tcp, unknown-udp or
unknown-p2p. This can be leveraged to block connections where the underlying application cannot be identified,
as is often the case with custom outbound C2 channels. As such, App-ID can assist in disrupting the kill-chain at the
Command-and-Control stage.
Finally, App-ID can reenforce a zero-trust architecture by limiting application usage based on user groups. This can
aid in limiting lateral movement capabilities and data exfiltration through specific applications.
Recommendations
The key principle to apply when defining an application based firewall policy is to build a policy that uses a positive
enforcement approach. Positive enforcement means that you selectively allow what is required for day-to-day
business operations as opposed to a negative enforcement approach where you would selectively block everything
that is not allowed. A negative enforcement approach requires you to keep track of any new applications and
constantly adapt your policy to block them. This would be a non-stop task and would still leave a high risk gap. A
positive enforcement approach only requires you to define an allowed list of applications and have the firewall
block everything else with a cleanup rule at the end of the rule base.
Heres an example of the recommended approach showing a positive enforcement firewall policy.
As you can see, it will be much easier to maintain a positive enforcement firewall policy over time as you will only
need to add those applications required for day-to-day business operations.
When switching from a port-based to an application-based firewall security policy, the most important task is to
determine what applications should be allowed for day-to-day business operations. If no well-defined list of
allowed applications exists, it is advisable to first configure the Palo Alto Networks firewall as a traditional port-
based firewall or to deploy it in monitoring mode in order to obtain a list of all applications running across your
network. This list should then be examined in order to maintain the required applications and have any non-
desired applications removed from the final policy.
L7 Evasions
App-ID can play an important role in securing your network from L7 evasions. For more information on how to
correctly configure a firewall to protect against evasion techniques, please refer to Appendix E: Evasions.
Unknown applications
Given that the App-ID application database now covers most Internet applications, any observation of unknown
traffic should be investigated. In order to apply better control over unknown applications and potentially related
malware, it is advised to create custom applications or configure application override policies where needed to
identify and allow known-good applications that are initially detected as unknown. Combining this approach with a
positive enforcement firewall policy will give you strict control over unknown applications, both known-good and
bad ones.
More information on handling unknown applications can be found here:
https://live.paloaltonetworks.com/docs/DOC-2007
User-based access control
Besides explicitly defining what applications are allowed, access to applications should also be restricted on a user
group level as opposed to using IP addresses in the source fields. The following topic will discuss User-ID in detail.
Use Case
The use case section for each topic will create an example policy that describes how to enable and deploy each
feature in an actual security policy.
To allow outbound access from the DMZ for update purposes, an additional rule will be created.
Note: the above rule is very generic and just serves for clarification purposes. In a real
environment, the allowed destinations should be limited to those required for update purposes
where possible.
By defining access by application rather than port or protocol, any traffic to the public services that does not match
the application will be denied. This approach reduces the attack surface for these services by disallowing any
applications that may have been inadvertently been left enabled on the server, but are not required for proper
operation.
Observations
Logs
An overview of all application activity can be consulted via the App Scope Network Monitor, under the Monitor tab.
Drill-down analysis can be performed via the Application Command Center (ACC).
Traffic that matches a rule will generate a log entry in the firewall traffic log if logging is enabled for that rule. A
rule can have logging enabled on session end (default), but also on session start.
Traffic Log
Unknown applications
Any new instances of traffic identified as unknown-udp, unknown-tcp or unknown-p2p will trigger a packet capture
that is included in the corresponding traffic log. These packet captures may provide an initial indication about the
type of traffic.
Traffic Log
Application dependency
Certain applications will depend on other applications for proper operation. In order to allow applications, it is
required that the parent applications are allowed as well. The most common example of such application
dependency is the reliance of web-based applications on applications ssl and web-browsing. Within one particular
application it is also possible that applications functions depend on a parent application. For example, the
application function facebook-posting depends on the parent application facebook-base.
The application web-browsing is a very generic application that encompasses any http-based traffic that is not
recognized as a specific application. If the Palo Alto Networks firewall is positioned in between host systems and a
web-proxy, any proxied http traffic is classified as application http-proxy instead of web-browsing.
Recommendations
When creating policies based on users and groups, it is advised that you make separate rules per user or user
group rather than combine users or groups into one rule, even if they have the same access privileges. This
approach will make overall access management easier for each group. It will also provide more rule-based filtering
possibilities when building custom reports.
In case the User-ID agent is used to provide IP-address-to-user name mapping, it is advised that you deploy
multiple agent instances for redundancy purposes. In addition, you can define a Captive Portal rule for any users
on the network that are not authenticated transparently, e.g. because their host machine is not part of the AD
domain.
Use Case
In this particular part of the security policy design, the following list of applications required per user group has
been defined:
Sales Marketing IT Human Production Management
Resources
web-browsing
linkedin
facebook-base
facebook-posting
twitter
google-analytics
Translating this allow-list into a firewall security policy results in the following rule base:
The policy as shown above will reduce the attack surface for these user groups and at the same time improve
workforce performance by blocking access to non-work related applications.
Observations
User identification
Most User-ID mechanisms can identify a user in a transparent way meaning the user will not have to explicitly re-
authenticate against the firewall. In the case where none of these mechanisms apply, a Captive Portal page can be
presented to the user.
Traffic Log
User Notification
When access to a web-based application is blocked, the user will receive a notification in the browser window. The
message and page layout can be customized.
Kill-Chain
Command Actions on
Delivery Exploitation Installation
and Control Objectives
Block
Block known
Malware and
URL Filtering malicious sites
fast-flux
and links
domains
URL Filtering can be used to reduce the attack surface for employees as well as disrupt the malware kill-chain at
the Delivery stage by blocking access to malicious websites and links pointing to malware deliverables. Additionally,
URL Filtering can prevent access to websites, pages and domains that serve as a C2 servers.
In the case of PAN-DB, the malware category is continuously updated with malicious URLs obtained during
WildFire Analysis of unknown malware. This provides near real-time protection for URL Filtering subscribers
against fast-flux C2 servers.
Use Case
In our use case, we will define a URL filtering policy based on the following requirements:
1. Access to the following external sites should be blocked for everyone using the companys Internet link.
This includes employees and guests.
Hacking
Malware
Peer-to-peer
Phishing
Proxy-avoidance-and-anonymizers
Questionable
2. Access to any other external site should be monitored and alerted on for known users, but not blocked.
3. Access to any other external site should be blocked for systems where the user is not identified.
4. Access to the company web site should be allowed for everyone, both internal and external. No URL
filtering should be performed on this type of traffic.
The second requirement can be accomplished by creating a URL Filtering profile that alerts on all categories and
applying this profile to the access rule that is already in place for each user group. One additional firewall rule will
be created to match any remaining authenticated users that do not match the existing rules.
Note: As long as the user group access rules are positioned below the generic Restricted Sites
block rule there is no need to enable blocking for these categories in the Alert All URL Filtering
profile. If you want to have additional safety built-in or if you do not wish to use a general rule for
these Restricted Sites as described under the first requirement, then you can enable blocking for
those categories in the URL profile as well.
Note: A Block All rule overrides the default intrazone and interzone rules and can potentially
block intrazone connections that are otherwise allowed. Make sure you add the necessary rules
above the Block All rule to explicitly allow this traffic should this be the case. As of PAN-OS 6.1 the
default intrazone and interzone rules are editable and can be configured to also log traffic. As
such, they may offer a good alternative to a more generic Block All rule without changing the
intrazone default behavior.
The fourth requirement is accomplished by the External Web Access rule that was placed at the top of the rule
base under the Application Identification section of this use case.
Observations
Logs
URL Filtering log entries can be consulted via the URL Filtering log view, under the Monitor tab. The detailed view
for a particular URL will also reference related logs associated with that URL log entry.
User Notification
When access to a web site is blocked, the user will receive a notification in the browser window. The message and
page layout can be customized.
Kill-Chain
Command Actions on
Delivery Exploitation Installation
and Control Objectives
Vulnerability Prevent lateral
Block exploits
Protection movement
Vulnerability Protection can assist in breaking the attack kill-chain at the Exploitation stage by preventing client
and server vulnerabilities from being exploited. It can also provide the same protection during lateral movement
attempts where vulnerabilities on internal hosts can provide a means to compromise additional systems.
Recommendations
When deploying vulnerability protection, special care should be taken to avoid a negative impact on the protected
traffic. While vulnerability protection signatures are developed with great care and are submitted to extensive
regression tests, some of the signatures are generic in nature and can trigger on traffic coming from misconfigured
services or faulty applications. This is especially true for applications that have been custom-built such as in-house
developed web applications. Because of this, it is generally not a good idea to simply turn on blocking for large
groups of signatures without prior examination of those signatures and the potential impact they may have on the
network.
If time and circumstances permit, it is advised to include an analysis phase in the vulnerability protection
deployment timeline. In particular for environments where service availability is critical, such a phase will be
required to assure proper functionality of the infrastructure once vulnerability protection is made fully operational.
Use Case
In our use case, we will enable Vulnerability Protection for all traffic generated by internal users as well as
outbound traffic for the DMZ. A clone of the default Vulnerability Protection profile will be applied to each rule.
Observations
Logs
Details for Vulnerability Protection alerts can be consulted via the Threat log view, under the Monitor tab. The
detailed view for a particular threat will also reference related logs associated with the threat log entry.
Threat Log
Starting with firmware 5.0, it is possible to create IP address-based exceptions for Vulnerability Protection events.
This can be accomplished by clicking on the threat name in the Threat log view and adding the exempt IP
addresses for selected exempt profiles in the pop up window.
This will create an exception for this threat/IP address combination in the selected Vulnerability Protection
profiles.
Kill-Chain
Command Actions on
Delivery Exploitation Installation
and Control Objectives
Block spyware
Anti-Spyware
and C2 traffic
The Anti-Spyware feature can be used to disrupt the attack kill-chain at the Command-and-Control stage by
preventing compromised hosts to establish a C2 channel to control systems outside the company network.
Use Case
In our use case, we will enable Anti-Spyware for all traffic generated by internal users. A clone of the strict Anti-
Spyware profile will be applied to each rule.
In addition, it is advisable to also turn on Anti-spyware for any security rules that allow outbound traffic from the
DMZ.
Observations
Logs
Details for Anti-Spyware alerts can be consulted via the Threat log view, under the Monitor tab. The detailed view
for a particular threat will also reference related logs associated with the threat log entry.
Note: The reason why SMTP, POP3 and IMAP have the default action set to ALERT is because in
most cases there is already a dedicated Antivirus gateway solution in place for these protocols.
Specifically for POP3 and IMAP, it is not possible to clean files or properly terminate an infected
file-transfer in-stream without affecting the entire session. This is due to shortcomings in these
protocols to deal with this kind of situation.
Custom profiles can be created and allow you to customize the action for each protocol.
More information on Antivirus can be found here:
https://www.paloaltonetworks.com/products/features/antivirus.html
Additional technical documentation on Anti-Virus is available here:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/threat-prevention.html
Kill-Chain
Command Actions on
Delivery Exploitation Installation
and Control Objectives
Block malicious Prevent lateral
Antivirus
files movement
Recommendations
The Antivirus feature can be used to disrupt the attack kill-chain at the Installation stage as well as prevent lateral
movement by blocking malicious files and exploit tools as they traverse the network.
The default Antivirus profile settings can be used in most situations where dedicated SMTP, POP3 and/or IMAP-
scanning solutions are also present. Because predefined profiles are read-only, it is advised to work with a custom
clone of the predefined profiles, so exceptions can be defined when needed.
If no dedicated Antivirus gateway solution is present for SMTP, it is possible to define a custom Antivirus profile
and apply the reset-both action to infected attachments. In such case, a 541 response will be sent back to the
sending SMTP server to prevent it from resending the blocked message.
Typically, Antivirus signatures have an extremely low false positive rate. Should a false positive occur, it is possible
to exclude specific Threat IDs from detection by defining Virus Exceptions in the Antivirus profile. For the same
purpose, certain applications can also be excluded from being inspected. In such cases, it is best practice to create
a specific profile and apply this profile to only the rules that are affected.
Use Case
In our use case, we will enable Antivirus for all traffic generated by internal users. A clone of the default Antivirus
profile will be applied to each rule.
Additionally we will also enable Antivirus for outbound update traffic from the DMZ.
Observations
Logs
Details for each Antivirus alert can be consulted via the Threat log view, under the Monitor tab. The detailed view
for a particular threat will also reference related logs associated with the threat log entry.
Threat Log
User Notification
Users who are attempting to download an infected file will be presented with a Virus Download Blocked message
in the browser. The message and page layout can be customized.
Kill-Chain
Command Actions on
Delivery Exploitation Installation
and Control Objectives
Block
Prevent data
unwanted file
exfiltration and
File Blocking types and
lateral
prevent drive-
movement
by downloads
File Blocking profiles can be used to disrupt the attack kill-chain at the Installation stage by preventing downloads
or uploads of specific file types such as executables. This can be particularly useful in blocking drive-by download
attempts after exploitation where a user is not aware a file is being transferred in the background. File Blocking
profiles can also help in preventing data leakage by preventing file uploads to public hosted services other than
company approved services.
Recommendations
File blocking can be particularly useful in preventing users from downloading and installing unverified software on
company assets and can also prevent drive-by downloads. No predefined file blocking profiles exist, but they are
easy to create. If blocking files is too strict for your environment, you should consider using the Continue action
instead. This will require a user to explicitly confirm a download and provides a simple but effective protection
mechanism against drive-by downloads.
Use Case
In our use case, we will implement the following requirements with regards to file blocking for all user groups
except the IT user group.
- Block executables
- Block torrent files
- Warn the user when downloading encrypted files
The file blocking profile looks as follows:
Observations
Logs
File transfers in sessions matching a rule with a file blocking profile enabled will generate a log entry in the Data
Filtering log view, under the Monitor tab.
User notification
When a file download is blocked, the user will see a block or continue notification in the browser.
Kill-Chain
Command Actions on
Delivery Exploitation Installation
and Control Objectives
WildFire Detect
Detect new Detect new C2
Threat unknown
malicious sites traffic
Intelligence malware
WildFire Analysis results are used to generate signatures for several protection mechanisms. Currently, WildFire
can generate file and dns signatures as well as add malicious URLs to the PAN-DB malware category. As such it
provides a very useful capability to automate the kill-chain disruption approach for unknown malware.
Recommendations
Due to the proliferation of unknown malware it is highly recommended to enable WildFire Analysis for files coming
from locations that are not trusted. WildFire Analysis profiles can be configured to forward files to either the
public-cloud WildFire or a private-cloud WF-500. WildFire is capable of analyzing files of type apk, ms-office, jar,
flash, email-link and pdf in addition to executable file types (PE). To forward these file types to the WildFire
analysis engine, a WildFire Analysis profile needs to be created.
Note: For pre-7.0 deployments, a file blocking profile with an action of forward or continue-and-
forward needs to be created to forward files to WildFire.
Use Case
In our use case, we will enable forwarding of files to the WildFire public cloud for all communication between users
and the untrust zone. In addition, all communication between users and the datacenter will be subject to
forwarding to the WildFire private cloud (WF-500). Finally, all inbound smtp traffic to the mail-relay in the DMZ will
also be subject to forwarding.
Files originating from or destined to a public source are generally allowed to be forwarded to the WildFire public
cloud. So the WildFire Analysis profile that will be used to forward files between users and the untrust zone looks
as follows:
This profile is enabled for all rules that allow users access to the untrust zone.
For files that contain sensitive information or are considered classified, there is the option to have these analyzed
using the WildFire private cloud (WF-500). In our example use case, it is decided that executable files can be
forwarded to the public cloud even if they originate from an internal source, but document files should be
analyzed using the private cloud option. The WildFire Analysis profile looks like this:
Security Policy for user communication to the datacenter with WildFire Analysis profile enabled
Enabling WildFire Analysis for all files received via email requires a WildFire Analysis profile to be enabled on the
rules that allow inbound smtp communication. Additionally, this profile can also be enabled for outbound
communication. The WildFire Analysis profile for our use case looks as follows:
This profile is then enabled on the security rules that allow smtp communication between the DMZ and untrust
zones.
Security Policy for communication between DMZ and untrust zones with WildFire Analysis profile enabled
Observations
Logs
Once a file has been analyzed or verified against the WildFire DB, a log entry will be created in the WildFire
Submissions log view, under the Monitor tab.
Detailed reporting of the WildFire Analysis results are available through the Detailed Log View.
User notification
When a file download is performed and the file is identified as malicious because it matches a WildFire signature,
the file will be blocked according to the settings in the Anti- Virus profile and the user will receive a notification in
his browser.
Kill-Chain
Command Actions on
Delivery Exploitation Installation
and Control Objectives
Prevent DoS
DoS/Zone Prevent L3/L4 attacks and
Protection evasions lateral
movement
While DoS Protection in itself does not provide any mechanism to disrupt the kill-chain, it can assist in reducing the
impact of any cybercriminal action or objective that is aimed at impacting internal or public company services by
performing a DoS or resource starvation attack against.
Maximal Rate
When the Maximal Rate threshold is exceeded, any further packets that match the DoS Protection rule and
classification criteria (in case of a classified profile) will be dropped for the block duration specified. The default
value for SYN-cookie is 1.000.000 which will prevent it from being triggered in almost any environment. You should
adjust this value to match your environment in the following scenarios:
To protect against TCP SYN floods where Random Early Drop is used.
To protect against UDP, ICMP or other IP floods.
Use Case
The following examples will provide some ideas on how to implement DoS Protection profiles.
With only one or more web servers to protect, DoS Protection profiles and rules can be very generic. However, it is
good practice to already plan for future service additions by making the DoS Protection rules as specific as possible.
Requirements:
A DoS Protection profile that protects against SYN floods as well as TCP session exhaustion attacks.
One or more DoS Protection rules that apply the profile to matching traffic.
DoS Protection profile
To protect against SYN Floods, it is advised to use the SYN-cookie mechanism over Random Early Drop as it is
superior in preventing floods to reach the target. Adjust the rate values based on actual session data from the
protected environment.
To protect against session exhaustion, you should balance the advantages and disadvantages of the following
techniques and choose the most appropriate one or a combination for your environment:
Use a classified profile with limited concurrent sessions per source-destination-ip. This will reduce the
impact from a limited botnet attack while maintaining availability for regular clients. If you set the session
Note: you can use negate to assign a specific DoS Protection profile to any source IP address not
from a particular country. This can be a worthwile approach in DDoS defense by limiting sessions
for countries that do not typically fall within the general visitor audience for an enterprises web
site.
Observations
Flood Protection
When enabled and triggered, Flood Protection alerts are sent to the Threat Log. Log entries will display different
values for source and destination zones and addresses depending on the type of DoS Flood Protection that was
configured. Destination port will always show 0.
When set to aggregate, then both source and destination address fields will display 0.0.0.0 and no zone
information is displayed.
Resources Protection
When enabled, Resources Protection will limit the number of concurrent sessions that match the DoS Protection
rule. No log entries will be created when the maximum number is reached. There is a session timeout that will
keep a session in the state table for 30 seconds by default after the session has been ended with FIN/RST. The
result is that the actual number of concurrent active sessions as perceived from the client side may not always
match the maximum number configured in the DoS Protection profile. See Appendix D: Slow HTTP Test Output for
the output of a slowhttptest attack for further clarification.
Kill-Chain
Command Actions on
Delivery Exploitation Installation
and Control Objectives
Prevent DoS
DoS/Zone Prevent L3/L4 attacks and
Protection evasions lateral
movement
Zone Protection can prevent L3/L4 evasions through its Packet Based Attack Protection functionality and can as
such play an important role in disrupting the kill-chain at the Exploitation stage. It can also prevent network/host
scans which are typically used during the Reconnaissance stage.
Recommendations
Zone protection profiles can only be applied to entire zones. Therefore it is important to investigate any possible
issues that may arise when applying zone protection profiles.
Flood Protection
Configure Flood Protection settings based on the number of packets you want to allow to each service behind the
firewall. Settings apply to all traffic that enters the network through any interface in the zone on which the Zone
Protection Profile is active, but a separate counter is maintained for each source IP/destination IP/destination port
tuple.
Reconnaissance Protection
In general it should be safe to enable this feature on external zones. For internal zones however, you should make
sure settings will not negatively affect any monitoring tools that often use the same scanning techniques to
determine if servers and services are up and running.
Packet Based Attack Protection
In general it should be safe to enable this feature on external zones. For internal zones however, you should make
sure settings will not negatively affect network communications from other devices that may rely on some of these
techniques for proper operation.
One specific example is the use of ICMP Ping ID 0, where other devices may use this type of packet to check
availability of hosts they need to communicate with. Blue Coat proxy devices have been known to do this.
L4 evasions
Use Case
In our use case, we will enable a Zone Protection profile for the untrust zone, i.e. the zone where public traffic is
reaching the firewall.
Zone settings
Observations
Flood Protection
Reconnaissance Protection
Reconnaissance protection can detect and block host sweep and TCP & UDP port scans. It will trigger when the
amount of scan packets exceeds the thresholds within the intervals specified.
TCP and UDP Port scan will trigger when a TCP or UDP port scan is executed against a single host and the
scan packet rate exceeds the configured threshold.
Host Sweep will trigger when a range of hosts is scanned on specific ports either through TCP, UDP or
ICMP.
When enabled and triggered, Reconnaissance Protection alerts are sent to the Threat Log.
Recommendations
The Automated Correlation Engine uses Correlation Objects which are by default all enabled. Correlation Objects
can be viewed and enabled/disabled via Monitor > Automated Correlation Engine > Correlation Objects.
Observations
Correlated events can be viewed under Monitor > Automated Correlation Engine > Correlated Events.
Recommendations
The behavioral botnet report is enabled by default. It will run on a daily basis and generate a report on the
detected behaviors for the previous day. It may be required to further tune the default detection threshold values
based on the initial report findings.
Default
Allow
Alert
Drop
Reset-both
Reset-client
Reset-server
Block-IP
For the Antivirus feature, the default action is not set on a per-signature basis, but configured and applied per
protocol.
Below are the available actions that can be applied to Antivirus events.
Allow
Alert
Drop
Reset-client
Reset-server
Reset-both