You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
According to Palo Alto Networks' Best Practices for Anti-Spyware Profiles, single-packet captures should be enabled for Critical, High, and Medium severity levels. These levels are typically associated with significant threats where analyzing traffic at this granularity can help understand and mitigate the threat effectively. Lower severity levels like Informational and Low usually don't warrant the same level of detailed packet capture since they are less likely to indicate serious threats.
The best practice Anti-Spyware profile retains the default Action to reset the connection when the firewall detects a medium, high, or critical severity threat, and enables single packet capture (PCAP) for those threats. https://docs.paloaltonetworks.com/best-practices/9-1/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
A, B and C
A, B, C
ABC How is everyone all over the place. The question is talking about Anti-Spyware not vulnerability. Answer is ABC https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
ABC https://docs.paloaltonetworks.com/best-practices/9-1/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
The best practice Anti-Spyware profile retains the default Action to reset the connection when the firewall detects a medium, high, or critical severity threat, and enables single packet capture (PCAP) for those threats.
BCE as per the https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protectionEnable extended-capture for critical, high, and medium severity events and single-packet capture for low severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases. (Too much packet capture traffic may result in dropping packet captures.) Don’t enable packet capture for informational events because it’s not very useful compared to capturing information about higher severity events and creates a relatively high volume of low-value traffic.
The question is talking about Anti-Spyware profiles, not Vulnerability Protection profiles
BCE as per the https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protectionEnable extended-capture for critical, high, and medium severity events and single-packet capture for low severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases. (Too much packet capture traffic may result in dropping packet captures.) Don’t enable packet capture for informational events because it’s not very useful compared to capturing information about higher severity events and creates a relatively high volume of low-value traffic.
I´ll go with B, C, D --> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection Enable extended-capture for critical, high, and medium severity events and single-packet capture for low severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases. (Too much packet capture traffic may result in dropping packet captures.) Don’t enable packet capture for informational events because it’s not very useful compared to capturing information about higher severity events and creates a relatively high volume of low-value traffic.
correct to B, C, E