The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the Internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice?
Palo Alto Networks best practice for items of high severity and critical severity involves setting the action to 'reset-both' and using 'single-packet' capture. This configuration allows the firewall to effectively terminate both sides of a connection when a threat is detected while capturing enough information to analyze the threat without overwhelming the system with excessive data. Extended captures are typically used in scenarios requiring detailed analysis, but for an Internet gateway setting where performance and immediate responses are paramount, single-packet captures are more appropriate.
answer is C "Enable extended-capture for critical, high, and medium severity events and single-packet capture for low severity events. " https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection
See the best practices document (kudos to GBD35055 for the URL) : The best practice Anti-Spyware profile retains the default Action to reset the connection when the firewall detects a medium, high, or critical severity threat, and enables single packet capture (PCAP) for those threats. https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
Option C is correct.
No, D is correct! Question asks for Best Practice Internet Gateway Vulnerability Protection Profile.
Still the same in pan-os 11.0
D is correct Question asks for Best Practice Internet Gateway Vulnerability Protection Profile. https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles Change the Action in the three brute force rules to reset-both and Packet Capture to single-packet to transition from alerting on brute-force attack events to blocking them. Consolidate critical, high, and medium severity events for servers and clients into one rule. Set the Action to reset-both and set Packet Capture to single-packet. This simplifies the profile and works because the profile uses the same action and the same packet capture settings for these severities.
Answer C, Enable extended-capture for critical, high, and medium severity events and single-packet capture for low severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases.
C is the correct option: action 'reset-both' and packet capture 'extended-capture
Recommended Action "Reset-Both" Recommended Capture ? This General doc recommends "Enable extended-capture for critical, high, and medium severity" https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection The Internet Gateway Specific Doc Recommends "Consolidate critical, high,…. Set the Action to reset-both and set Packet Capture to single-packet" Correct Answer is D
Option D is correct Option C is wrong This is internet Gateway Firewall. Packet captures on Internet gateway firewall does not make sense. Firewall would rather shut the session. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXCCA0 Notice that Anti-Spyware and Vulnerability Protection have more options Disabled Single Packet Select single-packet to capture one packet when a threat is detected. Extended-capture Select the extended-capture option to capture more packets. Extended-capture will provides much more context to the threat when analyzing the threat logs or when providing the captures for TAC to analyze.
Yup D. https://docs.paloaltonetworks.com/best-practices/9-1/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles
Correct answer is D. For inbound traffic aka internet traffic to the network behind paloalto firewall, the best practice is to use strict profile which uses *reset-both* action for critical/high sev events. For pcaps, use *single pcap* as the traffic volume is usually high. Can also use extended captures if the action is set to *alert*.
Clone the predefined strict Vulnerability Protection profile and edit it to create the best practice profile: Change the Action in the three brute force rules to reset-both and Packet Capture to single-packet to transition from alerting on brute-force attack events to blocking them. Consolidate critical, high, and medium severity events for servers and clients into one rule. Set the Action to reset-both and set Packet Capture to single-packet. This simplifies the profile and works because the profile uses the same action and the same packet capture settings for these severities.
https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles#:~:text=end%20user%E2%80%99s%20device.-,Best%20Practice%20Internet%20Gateway%20Vulnerability%20Protection%20Profile,same%20action%20and%20the%20same%20packet%20capture%20settings%20for%20these%20severities.,-For%20profiles%20that
Answer D is correct. Refer to https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles and read the following section: 'Best Practice Internet Gateway Vulnerability Protection Profile'
"For the best practice profile, for each rule except simple-client-informational and simple-server-informational, double-click the Rule Name and change Packet Capture from disable to single-packet to enable packet capture (PCAP) for each rule so you can track down the source of potential attacks." https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-vulnerability-protection-profile
For the best security, set the Action for both client and server critical, high, and medium severity events to reset-both and use the default action for Informational and Low severity events.
"items of high severity and critical severity best matches Palo Alto Networks best practice" It is C
D. Just went through some BPA's and single-capture is the recommended.
For the best practice profile, for each rule except simple-client-informational and simple-server-informational, double-click the Rule Name and change Packet Capture from disable to single-packet to enable packet capture (PCAP) for each rule so you can track down the source of potential attacks. Don’t change the rest of the settings. Apply extended PCAP (as opposed to single PCAP) to high-value traffic to which you apply the alert Action We would not be setting an alert action on high severity and critical severity matches I think the answer is D https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection
Sorry, must be D according to Palo Alto Networks best practice