Skip to main content
TACUNS
Academy/Firewall Mastery NGFW/Module 6
Module 6 of 8
75% complete
Module 6

Threat Prevention

IPS — Vulnerability Protection Profiles

Intrusion Prevention System (IPS) functionality in PAN-OS is implemented through Vulnerability Protection profiles. These profiles define how the firewall responds to detected exploit attempts against known CVEs and vulnerabilities.

Severity Levels

SeverityDescriptionRecommended Action
CriticalRemote code execution, pre-auth exploits, CVSS 9.0+block-ip (quarantine source)
HighPrivilege escalation, significant data exposure, CVSS 7.0–8.9reset-server or reset-both
MediumPartial information disclosure, CVSS 4.0–6.9drop or reset-server
LowMinor information leakage, CVSS 0.1–3.9alert
InformationalReconnaissance, probing, policy violationsalert

IPS Actions

  • allow — permit the traffic (no action on threat; use only for testing)
  • alert — permit traffic but generate a Threat log entry
  • drop — silently drop the offending packet; session may continue
  • reset-client — send TCP RST to the client; terminate the client connection
  • reset-server — send TCP RST to the server; terminate the server connection
  • reset-both — RST both client and server connections
  • block-ip — block all traffic from the source IP for a configurable duration (30–3600 seconds)

Inline IPS vs Alert Mode

Start with Vulnerability Protection profiles in alert mode for 2–4 weeks to identify false positives in your environment before switching to blocking actions. A misconfigured IPS in block mode can break legitimate applications.

Antivirus Scanning

The Antivirus profile controls which file transfers are scanned and which actions are taken on detected malware. PAN-OS scans at the protocol level — it decodes HTTP, SMTP, FTP, and other protocols to extract file content for scanning.

  • File types covered: PE executables, Office documents, PDF, scripts, archives (ZIP, RAR), Java, Flash
  • Protocols decoded: HTTP, HTTPS (requires SSL decryption), FTP, SMTP, IMAP, POP3, SMB
  • Signature updates: delivered via content updates, typically multiple times per day
  • WildFire integration: unknown files not matched by AV signatures are forwarded to WildFire
  • Direction control: set different actions for uploads vs downloads

WildFire — Cloud Sandboxing

WildFire is Palo Alto Networks' threat intelligence and sandboxing cloud service. Unknown files are submitted to WildFire for behavioral analysis in a real execution environment. Within minutes (or seconds for real-time verdicts with a WildFire subscription), a verdict is returned.

WildFire Verdict Types

VerdictMeaningAction
BenignFile is safe; no malicious behavior observedAllow
GraywareUnwanted software: adware, PUP, spyware-liteAlert or block depending on policy
MalwareFile exhibits malicious behavior in sandboxBlock and quarantine
PhishingFile is a phishing document or lureBlock

Once WildFire generates a verdict, it automatically creates a signature and distributes it to all PAN-OS firewalls with content update subscriptions — typically within 5 minutes for cloud subscribers.

WildFire Analysis Profile

Configure which file types to forward to WildFire in the WildFire Analysis profile. For maximum coverage, enable all file types and both directions (upload and download). The performance impact is minimal since only unknown files are forwarded — known-good and known-bad files are handled locally by AV signatures.

DNS Security

DNS Security (with a DNS Security license) integrates with the Anti- Spyware profile to block DNS requests to known malicious domains. It addresses the critical threat vector of DNS-based command-and-control and data exfiltration.

  • Blocks DNS queries to known C2 domains in real time using Palo Alto Networks' cloud threat intelligence
  • DNS sinkholing — instead of dropping the blocked DNS query, the firewall returns a sinkhole IP (10.0.0.1 by default). The endpoint connects to the sinkhole, which logs the attempt and identifies the infected host
  • Detects DNS tunneling by analyzing query patterns, entropy, and query frequency
  • Passive DNS analysis — tracks DNS resolution behavior to identify infected hosts within the network

DNS Sinkholing

Sinkholing is powerful because the endpoint initiates a TCP connection to the sinkhole IP, generating a traffic log. This reveals the infected host IP even in environments where you cannot decrypt DNS-over-HTTPS. Without sinkholing, a blocked DNS query produces only a Threat log with the query name — no follow-up connection to correlate.

Anti-Spyware Profiles

Anti-Spyware profiles handle the detection and blocking of spyware and C2 traffic — the communication channel between compromised endpoints and attacker infrastructure. This is distinct from Vulnerability Protection (which blocks exploit delivery) — Anti-Spyware catches the post- compromise communication.

  • Command-and-control signatures — match known C2 protocols, beaconing patterns, and callback URLs
  • Botnet report — identifies hosts within your network exhibiting botnet communication characteristics
  • DNS-based C2 detection — catches C2 using DNS queries (requires DNS Security integration)
  • Spyware signatures — detect data-stealing malware, keyloggers, and credential harvesters

Security Profile Best Practices

Attach a security profile group to every allow rule — an allow rule without a profile is a threat inspection gap.

Use strict profiles for high-risk zones (untrust-to-dmz, untrust-to- trust inbound rules) — all severities set to block/reset, WildFire on all file types.

Use a baseline profile for low-risk internal traffic — alert on low/ informational, block on critical/high.

Create profile groups named descriptively: Strict-Internet-Profile, Baseline-Internal-Profile. Reference profile groups in rules rather than individual profiles for easier management.

Enable the block-ip action for critical and high severity IPS signatures on internet-facing zones — temporarily quarantine sources of active exploitation attempts.

Zone Protection Profiles

Zone protection profiles apply to an entire zone rather than individual rules. They protect against volumetric attacks and reconnaissance targeting the zone itself.

Flood Protection

Flood TypeMechanismAction Threshold
SYN FloodSYN cookie generation at alert rate; block at max rateAlert/Activate/Maximum (pps)
UDP FloodDrop UDP when threshold exceededAlert/Activate/Maximum (pps)
ICMP FloodDrop ICMP when threshold exceededAlert/Activate/Maximum (pps)
Other IP FloodDrop non-TCP/UDP/ICMP when exceededAlert/Activate/Maximum (pps)

Reconnaissance Protection

  • Host sweep — detect scanning of multiple IPs from a single source (ICMP or TCP)
  • Port scan — detect a single source scanning multiple ports on a single host
  • Actions: allow, alert, block, or block-ip for a configurable duration
Previous ModuleNext Module