PCNSE - Protection Profiles for Zones and DoS Attacks
Multisession DoS Attacks
A multisession DoS attack can be launched from a single host or multiple hosts. Such an attack is characterized on the firewall by a high rate of CONNECTIONS PER SECOND (CPS), where each connection is an attempt to initialize a new firewall session. If a multisession DoS attack is launched from multiple hosts, then the attack is known as a distributed denial-of-service (DDoS) attack. You monitor the firewall CPS rate using the CLI operational command show session info | match "Number of allocated sessions".
In which firewall configuration component can you use an EDL of type Domain List?
Anti-Spyware Profile
Flood Threshold Recommendations: DoS Blocker
Alarm: 15-20% above baseline Activate: ~10% above alarm rate threshold Maximum: ~20% above activate threshold
True or false? DoS Protection policy is applied to session traffic before a Zone Protection Profile.
False
Which type of protection is provided by both a Zone Protection Profile and a DoS Protection Profile?
Flood
Create a Dynamic Address Group(DAG) - Commit Not Needed
IP address membership in a dynamic address group (DAG) can fluctuate, but membership changes do not require you to perform a commit operation. Membership in a DAG is determined using tag names or tag-based filters. A tag name or a tag filter is used to dynamically assign the address to the proper group. After you have created the DAG, add the group to either the Source Address or Destination Address field in a policy rule. The rule uses any IP addresses assigned to the tag as match conditions.
Security Profiles - Data Filtering
Identifies and blocks transfer of specific data patterns found in network traffic.
Block Known-Bad IP Addresses
Multiple methods are available to add a source or destination IP address to a Security policy rule.
Recategorization Request: Via Log Entries
Requests for recategorization can be submitted through the Request Categorization Change link in the Details window of a URL Filtering log entry. The link redirects the browser to the Request Categorization Change form that submits change requests to Palo Alto Networks. The requests are reviewed by a human, so you must include comments. Requests often are processed within 24 hours.
In which three locations can you configure the firewall to use an EDL? (Choose three.)
Security Policy URL Filtering Profile Anti-Spyware Profile
Which firewall configuration component is used to block access to known-bad IP addresses?
Security policy
PAN-OS Denial-of-Service Protections
The firewall provides DoS protections that mitigate Layer 3 and 4 protocol-based attacks. DoS protections use packet header information to detect threats rather than signatures. The DoS protections are not linked to Security policy and are employed before Security policy.
True or false? A best practice is to enable the "sinkhole" action in an Anti-Spyware Profile.
True
True or false? The implementation of network segmentation and security zones can reduce your network's attack surface.
True
Finding URLs matched to the not-resolved URL category in the URL Filtering log file might indicate that you should take which action?
Validate connectivity to the PAN-DB cloud.
Control URL Access for Specific Users
You must enable User-ID on the source zone. Then add a predefined or custom URL category to a policy rule that includes match criteria for the Source User. If you configure the rule action as "deny," user or group traffic matching the rule criteria will not be able to access the websites. If the rule action is "allow," then only user or group traffic matching the rule criteria will be allowed access.
End Host Protection
(Control at Egress) The DoS Protection policy and DoS Protection Profiles provide session-based flexible rules and matching criteria that enable you to protect destination zones or even specific end hosts such as web servers, DNS servers, or any servers that are critical or historically have been prone to DoS attacks.
Zone-Based Protection
(Control at Ingress) A Zone Protection Profile provides pre-session, broad-based, comprehensive DoS protection at the edge of your network to protect your enterprise from DoS attacks. The Zone Protection Profile acts as a first line of defense for your network. - Pre-Session Flood - Reconnaissance - Packet and Protocol-Based protections on ingress traffic.
Reconnaissance Threshold Recommendation
- Start with default interval and threshold values - Use 'Action' to 'Alert' to establish baseline - Set interval and threshold above baseline - Monitor threat log for false positives and adjust thresholds - Set action to 'Block' or 'Block IP' - Continue to monitor and adjust thresholds over time
URL Filtering Flow
1) Check Security Policy If the Security policy rule denies the traffic, then the traffic is blocked. If the Security policy rule allows the traffic, then the firewall checks for the presence of a URL Filtering Profile. If no profile exists, then the traffic is allowed. In either case, if the rule has logging enabled, then the traffic is logged to the Traffic log. 2) URL Filtering Profile Exist The firewall checks the profile's configured actions in the Site Access column for each URL category. The Site Access column lists all custom and predefined URL categories. Each category has a default action listed, but you can specify an alternate action. The actions are "alert," "allow," "block," "continue," and "override." The traffic is matched to a category, and the firewall takes the action specified for that category. *** If a URL is matched to a custom URL category and a predefined URL category, the action for the custom URL category has precedence. 3) Action in Profile The URL Filtering Profile logs information about the traffic and the action taken to the URL Filtering log. If a URL is matched to multiple URL categories, then the Category column lists the URL category that triggered the action taken. The URL Category List column lists all URL categories the URL matched.
Discard a Session Abusing the Packet Buffer
1) Identify Offending Sessions: Run the CLI operational command show running resource-monitor ingress-backlogs on any PA-3x00, PA-5x00, or PA-7000 Series firewalls. The command output reports the top five sessions for each slot and data plane that uses more than 2 percent of the packet buffer, the packet buffer percentage used, the source IP addresses associated with those sessions, and the application name. Note that virtual firewalls do not have a hardware-based packet buffer. If packets use a common TCP or UDP port but the CLI output indicates an application of undecided, the packets could be attack traffic. The application is undecided when App-ID decoders cannot get enough information to determine the application. An application of unknown indicates that App-ID decoders cannot determine the application. A session with an unknown application that uses a high percentage of the packet buffer is suspicious. 2) Discarding an Offending Session: To discard an offending session, run the CLI operational command request session-discard id <session_id>. If packet buffer protection is enabled, then an offending session might automatically be discarded by the firewall. The session is discarded if the offending session exceeds the packet buffer protection Activate threshold for longer than the Block Hold Time timer.
Packet-Based Attacks
1) It can drop an entire packet that has undesirable characteristics 2) It can strip undesirable options from TCP packet headers. A Zone Protection Profile checks IP, IPv6, ICMP, ICMPv6, TCP, and UDP packet header parameters. An example of a dangerous TCP option is the Record Route option. If this option is set, then the TCP packet header records the IP addresses of the devices a packet traversed to get to its destination. This information can be used to gather network reconnaissance for use in a later attack.
DoS Protections and Security Policy Interaction - Stages
1) Session Match - The firewall applies Zone Protection Profiles only to packets that do not match an existing session. 2) Zone Protection Profile - The firewall applies the Zone Protection Profile, if one exists for the zone. If the Zone Protection Profile denies the packet, then the packet is discarded and no DoS Protection policy rule or Security policy lookup occurs. 3) DoS Protection Policy Rules - The firewall applies a DoS Protection policy rule lookup. Even if a Zone Protection Profile allows a packet based on the total amount of traffic going to the zone, a DoS Protection policy rule and DoS Protection Profile might deny the packet if it exceeds the flood protection or resource protection settings in the DoS Protection Profile. If the packet matches a DoS Protection policy rule, then the firewall applies the rule to the packet. If the rule denies access, the firewall discards the packet and does not perform a Security policy lookup. If the rule allows access, the firewall performs a Security policy lookup. 4) Security Policy Rule - The firewall applies a Security policy lookup, which happens only if the Zone Protection Profile and DoS Protection policy rules allow the packet. The firewall discards the packet if it finds no Security policy rule match for it. The firewall applies the rule to the packet if it finds a matching Security policy rule. 5) Security Policy Enforced in Both Directions - The firewall enforces the Security policy rule on traffic in both directions (client-to-server and server-to-client) for the life of the session.
DoS Protection Policies and Profiles
A DoS Protection policy and DoS Protection Profiles are designed to work with Zone Protection Profiles. A Zone Protection Profile protects an ingress zone, and a DoS Protection policy and DoS Protection Profile protect a destination zone or destination host. Protect: Aggregate Profile - Apply limits to all matching traffic. An Aggregate Profile enables the creation of a maximum session limit for all connections matching a DoS Protection policy rule. The threshold applies the maximum session limit to all IP addresses that match the policy rule. If new sessions created for a single-source IP address result in the maximum sessions limit being exceeded, then no new sessions can be created for any other IP addresses matched to the DoS Protection policy rule. Classified Profile - Apply limits to specific IP addresses. A Classified Profile enables the creation of a session limit that applies to just a single IP address. You configure whether that IP address is matched to the source address, the destination address, or either the source or destination address. For example, you can configure a maximum session limit per IP address that will prohibit new sessions for just a specific source IP address after that source IP address has exceeded the limit. Protect: Aggregate Profile or Classified Profile Allow: All all packets Deny: Deny all packets
Flood Protection
A Zone Protection Profile protects against most common TCP SYN, UDP, ICMP, and other IP-based flood attacks. Flood Protection is similar to Zone Protection and protects a destination zone. A session exhaustion attack typically is launched using a large number of source hosts to create as many fully established sessions as possible on a target host. This type of attack is difficult to detect because the sessions might be used to send requests that look valid to the target host. The Threat log can then be used to view the threats after DoS Protection Profiles are enabled and triggered.
Security Profile Group
A Security Profile Group is a set of Security Profiles that are treated as a unit to simplify the task of adding multiple Security Profiles to a Security policy rule.
Unknown URLs
A URL matched to the unknown URL category indicates that the URL has not yet been categorized, so it does not exist in the URL filtering database on the firewall or in the URL cloud database. Although you initially might set the action to "alert" for unknown websites, you always should analyze the URL Filtering log to determine known-good websites and create Security policy rules to allow them. Then you should consider blocking access to websites categorized as unknown.
Zone Protection: Protocol Protection
A firewall normally passes non-IP protocol traffic between Layer 2 or virtual wire security zones. Configuration of Protocol Protection enables you to control which non-IP protocols are allowed to flow between these security zone types. Zone Protection Profiles can be accessed at Network > Network Profiles > Zone Protection > Add. Exclude List: To block specific non-IP protocol traffic, select Exclude List and then create a protocol exclusion list. Here the firewall allows all non-IP traffic, except for NetBEUI traffic. Include List: To allow only specific non-IP protocol traffic, select Include List and then create a protocol inclusion list. In this example, if you want to enable the firewall to pass only EtherTalk packets, then create an include list that contains only Ethertype 0x809B.
Single-Session DoS Attacks
A single-session DoS attack is launched from a single host. The source host transmits as much data as possible to the destination. These attacks are characterized by a high packet rate in an established firewall session. You monitor the packet rate using the operational CLI command show session info | match "Packet rate".
Reconnaissance Protection Firewall Actions
Allow: Permits port scan or host sweep attempts Alert: Generates a Threat log entry for each scan that exceeds the Threshold within the specified time interval. Block: Drops all packets from the source that exceed the Threshold within the specified time interval. Also creates a threat log entry. Block IP: Drops all packets that exceed the threshold within the specified time interval. Sub-options - Source: Blocks traffic from the source IP address Source-and-destination: Blocks traffic for the source IP-destination IP pair
HTTP Header Logging
An HTTP request header might include the attribute-value pairs User-Agent, Referer, or X-Forwarded-For. To log these attribute-value pairs in the URL Filtering log, enable their corresponding options on the URL Filtering Settings tab. Palo Alto Networks highly recommends that you enable these options because enablement supports the analysis of indicators of compromise.
Security Profile Types(8):
Antivirus Anti-Spyware Vulnerability Protection URL Filtering File Blocking Data Filtering WildFire Analysis DoS Protection
Which three options describe characteristics of packet buffer protection? (Choose three.)
Applied per zone Enabled or Disabled per Firewall Protects against single-session DoS attacks
Block Access to Specific URLs
Before access to a specific URL can be blocked, you must add the URL to a custom URL category. Then add the custom URL category as a match condition in the Security policy. You cannot add an individual URL as a match condition to a Security policy rule.
Use a Security Policy "Deny" Rule
Built into a security policy as setting/option: You should block access to risky URL categories for most employees. The recommended list of risky URL categories to block includes command-and-control, dynamic-dns, hacking, high-risk, malware, phishing, and unknown. Other URL categories to consider blocking include adult, extremism, new-registered-domain, parked, proxy-avoidance-and-anonymizers, and questionable.
URL Filtering Features
Cached URL Entries: The size of the cache depends on the firewall model and ranges from a few hundred thousand URLs to a few million URLs. The firewall backs up the cache to disk every eight hours and after a firewall is rebooted by an administrator. Cached entries expire based on timeouts included in the database for each URL. These timeouts are not configurable. If a URL is not found in the cache, the firewall contacts the PAN-DB cloud servers for the lookup. The firewall will cache these URL lookups to expedite future lookups. The firewall does not require a nightly download of a URL Filtering file, because all updates are downloaded dynamically from the cloud as needed. Filter SSL Encrypted Traffic: The firewall can apply URL filtering to SSL encrypted traffic even if the traffic is not decrypted. The URL category can be matched to a Security policy rule even with SSL encrypted traffic because the URL information is seen in cleartext. App-ID would identify the application as SSL. Reduce Attack Surface: Use URL filtering to reduce your organization's attack surface and to disrupt the cyberattack lifecycle. For example, URL filtering disrupts the delivery or command-and-control stage of the cyberattack lifecycle. The URL Filtering feature controls access to specific URLs, websites, and website categories, or generates an alert in the URL Filtering log when URLs are accessed. Block URL Categories: Two methods are available to block access to risky URL categories. The first method is to add the URL categories as match conditions to a Security policy deny rule. URL categories can be used as matching criteria in Security, QoS, Decryption, and Authentication policy. The second method is to control access to URL categories using a URL Filtering Profile attached to a Security policy "allow" rule.
Security Profiles - URL Filtering
Classifies and controls web browsing based on content.
Palo Alto recommends blocking access to the following URL categories:
Command-and-Control Dynamic-DNS Hacking High-Risk Malware Phishing Unknown
Security Profiles - Vulnerability Protection
Detects attempts to exploit known software vulnerabilities.
Security Profiles - Antivirus
Detects infected files being transferred with the application.
Security Profiles - Anti-Spyware
Detects spyware downloads and traffic from already installed spyware. May attach EDL to profile.
Zone Protection Profiles and End Host Protection
DoS protection in PAN-OS® software includes zone-based protection and end host protection capabilities to mitigate DoS attacks. You should deploy them in tandem to achieve the best results against the various DoS attacks observed on the internet today. Zone protection will be enforced before DoS Protection policy if an IP address happens to match both.
External Dynamic List Type - Domain
Firewall Log Threat Log Fields NAME
External Dynamic List Type - IP Address
Firewall Log Traffic, Threat, Decryption, Tunnel Inspection, Unified Log Fields SOURCE EDL, DESTINATION EDL
External Dynamic List Type - URL
Firewall Log Traffic, URL Category, Tunnel Inspection Log Fields SOURCE EDL, DESTINATION EDL
DoS Protection Implementation Strategies
Flood Detector: To configure the flood threshold settings for only DoS detection, configure the Alarm Rate threshold at a lower, conservative value and configure the Activate and Maximum thresholds to absurdly high values. These flood settings ensure that the firewall detects a DoS attack at a low CPS rate while also ensuring that packets are not dropped by the firewall. Flood Blocker: To configure the flood threshold settings for DoS detection and DoS blocking, configure the Alarm Rate threshold at a lower, conservative value and configure the Activate and Maximum thresholds to equally conservative values.
Flood Protection Alerts
Flood Protection alerts, when enabled and triggered, are sent to the Threat log. Log entries show the zone name for which the profile was triggered in the source and destination zone fields.
Security Profiles - WildFire Analysis
Forwards unknown files to the WildFire service for malware analysis.
Zone Protection: Network Reconnaissance
Host Sweep: Host sweeps attempt to contact multiple hosts to determine which hosts are running and if specific ports are open and vulnerable. Port Scan: Port scans discover open ports on hosts in a network. A port scanning tool sends requests to a range of port numbers on a host, with the goal of locating an open port to exploit.
DoS Examples
ICMP Flood: An ICMP flood leverages misconfigured network devices by sending spoofed packets that ping every computer on the targeted network, instead of just one specific machine. This attack has also been called the smurf attack or the ping of death. TCP SYN Flood: A TCP SYN flood continually initiates but never completes the TCP three-way handshake. This behavior continues until all available network buffers are consumed and no buffers remain available for legitimate TCP connections.
EDL(External Dynamic List)
If a website formats a list as one IP address per line, then the list can be accessed by the firewall as an EDL. The EDL can be used in Security policy rules to block access to the malicious IP addresses. The EDL list must be formatted as a single IP address per line. All firewall models support a maximum of 30 EDLs. The supported maximum number of IP addresses varies per firewall model. A single EDL could contain up to the supported maximum number of IP addresses. Malicious IP List added to Web Server => Firewall accesses list as EDL from Webserver.
DoS Protections and Security Policy Interaction - Summary
If the packet does not match an existing session, then the firewall uses Zone Protection Profiles, DoS Protection Profiles and policy rules, and Security policy rules to determine whether to establish a session or discard the packet.
Malicious Domain Lists(MDL)
If the third-party website formats the list as one domain per line, then the list can be accessed by the firewall as an EDL.
Latency Versus Buffer Utilization Protection:
If you are using hardware firewalls and your traffic includes protocols or applications that are latency-sensitive, then packet buffer protection based on latency will be more helpful than packet buffer protection based on buffer utilization. Packet buffer protection based on latency is available only on the 3200, 5200, and 7000 Series firewalls and is not supported on the VM-Series firewalls. To enable packet buffer protection, browse to Device > Setup > Session > Session Settings and select the Buffering Latency Based check box.
View Malicious Domains in the Threat Log
If you find a "sinkhole" action in the Threat log, then filter the Traffic log for the sinkhole IP address. Any host in the Traffic log that has attempted to connect to the sinkhole address could be an infected host with malware that is attempting to phone home. In a typical deployment where the firewall is north of the local DNS server, the Threat log would identify the local DNS resolver as the Source Address rather than the actual infected host. The actual infected host would not be logged. If the firewall is south of the local DNS server, then the Source Address would identify the infected host. If you see a sinkhole in the Threat log: Filter the Traffic log to see who is attempting to connect to the sinkhole IP address. Hosts attempting to connect to the sinkhole address could be infected. Check logs daily or run a daily report.
HTTP Header Insertion and Modification
Inserting SaaS Application-Defined Headers: You can have the firewall insert SaaS application-defined headers that the SaaS servers use to determine whether a user gets access to the application. The value associated with the header typically is a username, a domain name, or both. Configuring HTTP Header Insertions Entries: You configure HTTP header insertion entries for four predefined SaaS applications: Dropbox, Google, Office 365, and YouTube. If you want to perform HTTP header insertion for an application that has not been predefined, you can create a Custom type. Custom types allow you to insert custom HTTP headers, but you also can use them to manage standard HTTP headers. Additional predefined types may be available in future content updates.
EDL Traffic Matching
Log fields and an EDL-specific threat category enable you to prioritize your most effective EDLs first and correct an EDL that is prone to false positives. When traffic matches an entry that appears in multiple EDLs, the firewall will only log the first list that matches the traffic. EDL monitoring can monitor only three types of EDLs: IP addresses, URLs, and domains. If traffic matches an EDL attached to one of your policy rules, the log fields tell you which list is associated with each rule. The type of EDL determines where the list appears in the logs.
DoS Mitigation
Mitigate Multisession DoS Attack: To mitigate a DDoS attack, you configure a firewall Zone Protection Profile, work with your ISP to block the attack, or deploy a third-party, anti-DDoS application. Mitigate a Single-Session DoS Attack: To mitigate a single-session DoS attack, enable firewall packet buffer protection or manually discard the offending session using the CLI operational command request session-discard id <session_id>.
Recategorization Requests: Via Webpage
On the Test A Site webpage, type your URL and click Search. The details of your URL are displayed along with a Request Change link. To request a recategorization, click the Request Change link, complete the web form with the details of your change request, and then click Submit. The Test A Site webpage also is useful for discovering a URL's assigned URL category. Knowledge of a URL's assigned category is useful for configuration of the URL Category field in Security policy rules and also for configuration of the URL categories in the URL Filtering Security Profiles.
What is the most important traffic direction on which to configure a URL Filtering Profile?
Outbound
Reconnaissance Protection
PAN-OS software monitors port scans and host sweeps using an events-per-time interval. Port Scans - The Interval is the number of seconds to detect a given number of port scan events. The Threshold is the number of scanned ports events, within the specified time Interval, that will trigger reconnaissance protection action. Host Sweeps - The Interval is the number of seconds to detect a given number of host sweep events. The Threshold is the number of scanned host events, within the specified time Interval, that will trigger reconnaissance protection action.
Which protection method can be used to mitigate single-session DoS attacks?
Packet Buffer Protection
Packet Buffer Protection: Percent of Buffer Used
Packet buffer protection enables you to protect your firewall and network from single-session DoS attacks. In a single-session DoS attack, a single session from a single source sends multiple packets with the goal of overwhelming the firewall packet buffer, thus causing legitimate traffic to be dropped. Packet buffer protection is session-based and applied per zone. Packet buffer protection based on percent of buffer used is available on all firewall models. Firewall Packet Buffer After you enable packet buffer protection on the firewall, the firewall monitors how sessions from all zones use the firewall packet buffer. Alert and Activate Thresholds By default, the Alert and Activate thresholds are set to the same 50 percent value so that logging and packet dropping begin at the same time. Alert Threshold If you enable packet buffer protection on a specific ingress zone and a session in that zone exceeds the configured Alert threshold, then the firewall creates an alert entry in the System log. Activate Threshold If a session reaches the Activate threshold, then the firewall mitigates the resource over-consumption by using RED to drop packets in the session and the firewall starts the configurable Block Hold Time timer. RED and Sessions Discard State If the firewall uses RED but cannot reduce packet buffer use below the Activate threshold by the time that the Block Hold Time timer expires, then the firewall places the session in the discard state. Sessions in the discard state can have their packets discarded by the firewall.
URL Filtering
Palo Alto Networks maintains the PAN-DB URL filtering database that groups websites into categories. A firewall with a valid URL Filtering license can use the PAN-DB database to filter user access to websites. PAN-DB requires license. Admin-Defined does not require license. An administrator can create their own custom URL categories and use them as match criteria in firewall policy rules even if the firewall does not have a URL Filtering license. URL categories can be used in Authentication, Decryption, QoS, and Security policies.
DNS Sinkhole
Palo Alto Networks makes malicious domain signatures available to firewalls with active Threat Prevention licenses. The DNS Sinkhole feature uses the malicious domain signatures to enable you to quickly identify possibly infected network hosts. The default sinkhole IP address is provided by Palo Alto Networks. You do not need to configure access to this IP address, because the sinkhole IP address does not have to belong to a real host. The DNS Sinkhole operation involves forging responses to malicious DNS domain queries so that DNS clients attempt to connect to the specified sinkhole IP address rather than to a known-malicious domain. After a DNS client attempts to connect to the sinkhole IP address, the connection attempt is logged in the Traffic log. Filter the Traffic log by the sinkhole IP address to determine which hosts have attempted to connect to it. These log entries provide an indication of possibly infected hosts.
Predefined Malicious IP Lists
Palo Alto Networks provides and maintains three predefined, read-only malicious IP address lists that you can use in Security policy rules to block access to malicious hosts. These lists are available when you have an active Threat Prevention license. Palo Alto Networks delivers updated versions of these lists as part of the firewall daily Antivirus content updates. Entries from the most recent versions of the lists replace the entries from older versions.
Which DoS Protection policy action must you configure to ensure that the firewall consults a DoS Protection Profile?
Protect
Which option describes a characteristic of a Zone Protection Profile?
Protects ingress ports of an assigned zone.
URL Admin Settings - Redirect and Transparent Mode
Redirect: Redirect mode ensures that the block page originates from a Layer 3 or loopback interface on the firewall. The configured IP address or DNS hostname that you enter must match the Layer 3 or loopback interface IP address. You must assign to the interface an Interface Management Profile that permits response pages. The firewall intercepts the user's HTTP request and redirects it to the configured IP address on the firewall. The firewall responds by sending a webpage to the user requesting the URL Admin Override password. If the user enters the correct password, then the firewall redirects the user back to the original URL that they requested. Otherwise, the user is denied access. Redirect mode also supports session cookies and is the recommended mode. Transparent: Transparent mode ensures that block pages appear to originate from the blocked website. The firewall impersonates the web server in the original request and prompts for a password. If the connection is to an SSL-enabled website and the browser does not trust the firewall's SSL forward trust certificate, the user's browser reports a certificate error. Transparent mode is required only if no Layer 3 interfaces are configured on the firewall. Transparent mode does not require you to configure an IP address.
Inserting an X-Authenticated-User Header
Starting with PAN-OS 9.1, you can use the Dynamic Fields option to have the firewall insert an X-Authenticated-User header that specifies the user's name, domain name, or both. You might insert this HTTP header to enable a secondary device to receive the user's information and enforce additional user-based policy. When you configure a secondary enforcement device to help enforce user-based policy, the secondary device must have a way to receive user information. Transmission of user information to downstream devices often requires deployment of redundant methods that can result in a negative user experience—for example, users having to log in multiple times. If you share the user's identity by having the firewall insert it in an HTTP header, you can enforce user-based policy without negatively impacting the user's experience. Select the Log check box to ensure that the header insertion event is recording in the firewall's URL Filtering log.
Packet-Based Attacks: Drop Entire Package
Stripping undesirable options from packets is another option to protect from packet-based attacks.
show session info
The CLI operational command show session info also reports the packet rate and new connection establish rate, which you can use to help determine appropriate flood thresholds.
Denial-of-Service Attacks
The DoS attack deprives legitimate users access to the service or resource they expected. Though DoS attacks typically do not result in the theft or loss of significant information or other assets, they can cost the victim substantial time and money.
Multi-Category and Risk-Based URL Filtering
The PAN-DB URL filtering cloud assigns multiple categories to websites to indicate recently registered domains, how risky a website is, the website's content, and the website's purpose or function. The three risk categories indicate whether the website is demonstrating varying levels of suspicious activity and that the website has not been confirmed as a malware or phishing site: Low Risk Medium Risk High Risk The new-registered-domain category is for websites that have been registered within the last 32 days: Newly Registered Domain A website can be classified with a security-related category until it no longer meets the criteria for that category. If you want to enable multi-category and risk-based URL filtering, you must enable the firewall to connect to the PAN-DB server. BEST PRACTICE - Block high-risk and new-registered-domain in URL Filtering Profiles.
Connection Rates
The firewall determines connection rates by tracking the packets per second sent from one or many sources to one or many ingress interfaces in the zone. The rates effectively are treated as connections per second because only packets that are not already associated with an existing session are counted.
Safe Search Enforcement
The Safe Search Enforcement option, if enabled, prevents users who use the Google, Yahoo, Bing, Yandex, or YouTube search engines from viewing search results unless their browser is configured with the strict safe search option. Users see a URL filtering block page in their browsers if you enable this feature. If SSL is used, you must enable decryption for Safe Search Enforcement to function. To help enforce safe searching, you can add a Security policy rule to prevent access to other search providers. If the Log container page only option is enabled in a URL Filtering Profile, only the URL of the main container page is logged, not the URLs of subsequent pages that might be included within the container page. URL filtering can generate many log entries, so you might want to leave this option enabled.
Flood Protection Methods
The firewall determines connection rates by tracking the packets per second sent from one or many sources to one or many ingress interfaces in the zone. The rates effectively are treated as connections per second because only packets that are not already associated with an existing session are counted. Random Early Drop(RED) - ALARM, ACTIVATE, MAXIMUM: RED features three CPS thresholds labeled Alarm Rate, Activate, and Maximum. SYN packets that do not match an existing session are logged to the Threat log if the packet rate exceeds the Alarm Rate threshold. However, RED is not activated until the SYN packet rate exceeds the Activate threshold. After the SYN packet rate exceeds the Activate threshold, the firewall begins to randomly drop packets. The rate at which the firewall drops packets increases as the packet rate increases and approaches the Maximum threshold. When the Maximum threshold has been reached, then the firewall drops all SYN packets that exceed the Maximum threshold. If you configure RED, then the firewall will drop some legitimate traffic along with flood traffic, but RED is CPU-efficient and handles large volumes of traffic well. SYN Cookies - SYN cookie is the recommended method because of its advantages of not dropping legitimate traffic, even though maintenance of half-open TCP connections for the TCP servers requires more data plane CPU and memory resources. Do not enable SYN cookies if your data plane CPU is nearing maximum use.
Which statement is true about a URL Filtering Profile's continue password?
There is a single, per-firewall password.
If a DNS Sinkhole is configured, any sinkhole actions that indicate a potentially infected host are recorded in which log type?
Threat
EDL List Capacities
To display the supported maximums of your firewall, browse: Objects > External Dynamic Lists and click List Capacities.
Not resolved URLs Issue
To verify current connectivity to the PAN-DB cloud service, use the command-line interface show url-cloud status command.
Security Profiles - File Blocking
Tracks and blocks file uploads and downloads based on file type and application.
URL Filtering Response Pages
URL category with a configured action of "block," "continue," or "override"... A user that successfully uses the continue or override response page has access for 15 minutes to the URL category associated with the URL that generated the event, and during that time the response page will not be presented again. This timeout time is configurable at Device > Setup > Content-ID > URL Filtering. The override password is set at Device > Setup > Content ID > URL Admin Override. A firewall can have only one URL Admin Override password. URL filtering response pages in a Layer 3 environment require the configuration of a Layer 3 interface on the firewall with an Interface Management Profile configured to allow response pages. Response pages also work in a virtual wire configuration.
Sinkhole Action
When the "sinkhole" action is taken, the firewall does not forward the query to the next DNS server. Note that the predefined default and strict Anti-Spyware Profiles are not configured to use the "sinkhole" action. Before you can use the "sinkhole" action, you must create a custom Anti-Spyware Profile.
Zone Protection: Ethernet SGT Protection
When your firewall is part of a Cisco TrustSec network, the firewall can now inspect headers with 802.1Q (Ethertype 0x8909) for specific Layer 2 security group tag (SGT) values and drop the packet if the SGT matches the list configured in the Zone Protection Profile attached to the interface. You apply the Zone Protection Profile to a security zone configured with a Layer 2 or virtual wire interface. When you configure Ethernet SGT protection, you enter one or more Tag values for the list; the range is 1 to 65,535. You can enter individual entries that are a contiguous range of tag value (for example, 100 to 500). You can add up to 100 individual or range tag entries in an exclude list. You apply the Zone Protection Profile to a security zone configured with a Layer 2 or virtual wire interface
Configure Packet Buffer Protection Based on Latency
With the release of PAN-OS 10.0, packet buffer protection based on packet buffer utilization is enabled by default on all firewalls globally and for each zone. As an alternative to packet buffer protection based on utilization, you can configure the hardware firewalls to trigger packet buffer protection based on packet latency caused by data plane packet buffering, which indicates congestion on the firewall. Packet buffer protection mitigates head-of-line blocking by alerting you to the congestion and performing RED on packets. Packet buffer protection based on latency can trigger protection before latency-sensitive protocols or applications are affected.
Real-Time Webpage Analysis
With the release of PAN-OS 10.0, you can prevent malware variants of JavaScript exploits and phishing contained in webpages from entering your network in real time by using a firewall-based classification engine leveraging PAN-DB cloud analysis and machine learning inline analysis. The real-time webpage analysis classification engines are configured through your URL Filtering Profile and require an active PAN-DB URL Filtering license. Real-time webpage analysis is not supported on the VM-50 and VM-50 Lite virtual appliances. To configure real-time webpage analysis, you create a new or update an existing URL Filtering Security Profile to use the real-time webpage analysis classification engine. Next, you define a policy action for each classification engine that you added to the Antivirus Profile. URL exceptions can be added to a URL Filtering policy to exclude specific URLs, such as false positives. To add a URL exception, add a pre-existing or create a new URL-based EDL. Policy Actions: BLOCK - The website is blocked. The user will see a response page and will not be able to continue to the website. A log entry is generated in the URL Filtering log. ALERT - The website is allowed and a log entry is generated in the URL Filtering Log. ALLOW - The website is allowed, and no log entry is generated.
EDL(External Dynamic List) Monitoring
With the release of PAN-OS® 10.0, you can identify when traffic matches an EDL. Log fields and an EDL-specific threat category enable you to prioritize your most effective EDLs first and correct an EDL that is prone to false positives.
Create a Static Address Group - Commit is Needed
You also can add malicious IP addresses to a static address group and then use the group in Security policy rules. However, the list of known-bad IP addresses can change quickly, so a static address group could become out of date.
Create an Address Object
You can add malicious IP addresses to an address object and then use the object in Security policy rules. However, the list of known-bad IP addresses can change quickly, so a static address object could become out of date.
DNS Signature Match Protection
You can apply different actions to traffic matching a malicious domain signature or domain name. The actions are "alert," "allow," "block," and "sinkhole." The default and recommended action is "sinkhole" because it protects your environment and also provides increased visibility into hosts that might be infected. You can either use the sinkhole FQDN supplied by Palo Alto Networks or you can configure a real host and IP address as the sinkhole address. A real host should reside in a different security zone than the DNS client because only network traffic that traverses security zones is logged by the firewall. One reason to use a real "sinkhole" host is to enable you to analyze the behavior of an infected host on the network.
DoS Protection Policies and Profiles - Rule Match Criteria
You can configure DoS Protection policy rules to use zone names, interface names, IP addresses, usernames, or service names as match conditions for blocking DoS attacks.
Source Address Exclusion List
You can whitelist up to 20 source IP addresses or address objects on the Source Address Exclusion list. The list accepts fully qualified domain names, specific IP addresses, IP address ranges, IP subnets, or IP address groups. Traffic that matches an address on the list is recorded in the Traffic log as an informational alert. You can create allow lists at Network > Network Profiles.
Packet-Based Attacks: Drop Entire Packet
You select the drop characteristics for each packet type when you configure packet-based attack protection in the Zone Protection Profile. You can drop malformed IP packets, TCP SYN, and SYN‐ACK packets that contain data, and fragmented ICMP packets. Each packet type has a set of characteristics and options that you select to control whether the firewall drops a packet.
Security Profiles:
create different levels or roles of system user and access allow each user access only to those portions of system under that user role. Security Profiles are not necessary for Security policy rules configured with the "deny" action, because no further processing is needed if the network traffic will be blocked. As with Security policy rules, Security Profiles are applied to all packets over the life of a session. Security Profiles enable you to have more granular control over allowed traffic. Security Profiles log detected threats to the logs found at Monitor > Logs.