Objects > Security Profiles > Antivirus
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT > DHCP Server
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Objects > Security Profiles > Antivirus
Use the Antivirus Profiles page
to configure options to have the firewall scan for viruses on the
defined traffic. Set the applications that should be inspected for
viruses and the action to take when a virus is detected. The default
profile inspects all of the listed protocol decoders for viruses,
generates alerts for Simple Mail Transport Protocol (SMTP), Internet
Message Access Protocol (IMAP), and Post Office Protocol Version
3 (POP3), and takes the default action for other applications (alert
or deny), depending on the type of virus detected. The profile will then
be attached to a Security policy rule to determine the traffic traversing
specific zones that will be inspected.
Customized profiles can be used to minimize antivirus inspection
for traffic between trusted security zones, and to maximize the
inspection of traffic received from untrusted zones, such as the
Internet, as well as the traffic sent to highly sensitive destinations,
such as server farms.
To add a new Antivirus profile, select
Add and enter the following settings:
Field | Description |
---|---|
Name | Enter a profile name (up to 31 characters).
This name appears in the list of antivirus profiles when defining
security policies. The name is case-sensitive and must be unique.
Use only letters, numbers, spaces, hyphens, periods, and underscores. |
Description | Enter a description for the profile (up
to 255 characters). |
Shared (Panorama only) | Select this option if you want the profile
to be available to:
|
Disable override (Panorama only) | Select this option to prevent administrators
from overriding the settings of this Antivirus profile in device
groups that inherit the profile. This selection is cleared by default,
which means administrators can override the settings for any device
group that inherits the profile. |
Action Tab Specify
the action for the different types of traffic, such as FTP and HTTP. | |
Enable Packet Capture | Select this option if you want to capture
identified packets. |
Hold for WildFire Real Time Signature Look Up | Select this option if you want to hold packets until the firewall completes a real time signature
lookup against the real-time signature cloud.
You must also globally enable
Hold for WildFire Real Time Signature Look
Up in Device > Setup > Content-ID before hold mode is fully enabled. |
Decoders and Actions | For each type of traffic that you want to
inspect for viruses, select an action from the drop-down. You can
define different actions for standard antivirus signatures (Signature Action column),
signatures generated by the WildFire system (WildFire
Signature Action column), and malicious threats detected
in real-time by the WildFire Inline ML models (WildFire
Inline ML Action column). Some environments may
have requirements for a longer soak time for antivirus signatures,
so this option enables the ability to set different actions for
the two antivirus signature types provided by Palo Alto Networks.
For example, the standard antivirus signatures go through a longer
soak period before being released (24 hours), versus WildFire signatures,
which can be generated and released within 15 minutes after a threat
is detected. Because of this, you may want to choose the alert action
on WildFire signatures instead of blocking. For
the best security, clone the default Antivirus profile and set the
Action and WildFire Action for all the decoders to reset-both and
attach the profile to all Security policy rules that allow traffic. |
Application Exceptions and Actions | The Applications Exceptions table allows
you to define applications that will not be inspected. For example, to
block all HTTP traffic except for a specific application, you can
define an antivirus profile for which the application is an exception. Block is
the action for the HTTP decoder, and Allow is
the exception for the application. For each application exception,
select the action to be taken when the threat is detected. For a
list of actions, see Actions
in Security Profiles. To find an application, start
typing the application name in the text box. A matching list of
applications is displayed, and you can make a selection. If you believe a legitimate application
is incorrectly identified as carrying a virus (false positive),
open a support case with TAC so Palo Alto Networks can analyze and
fix the incorrectly identified virus. When the issue is resolved,
remove the exception from the profile. |
Signature Exceptions Tab Use
the Signature Exception tab to define a list
of threats that will be ignored by the antivirus profile. Only create an exception if you are sure
an identified virus is not a threat (false positive). If you believe
you have discovered a false positive, open a support case with TAC
so Palo Alto Networks can analyze and fix the incorrectly identified
virus signature. When the issue is resolved, remove the exception
from the profile immediately. | |
Threat ID | To add specific threats that you want to
ignore, enter one Threat ID at a time and click Add.
Threat IDs are presented as part of the threat log information.
Refer to Monitor
> Logs. |
WildFire Inline ML Tab Use
the WildFire Inline ML tab to enable and
configure real-time WildFire analysis of files using a firewall-based
machine learning model. Palo Alto Networks recommends
forwarding samples to the WildFire cloud when Wildfire inline ML
is enabled. This allows samples that trigger a false-positive to
be automatically corrected upon secondary analysis. Additionally,
it provides data for improving ML models for future updates. | |
Available Models | For each available WildFire inline ML Model,
you can select one of the following action settings:
|
File Exceptions | The File Exceptions table
allows you to define specific files that you do not want analyzed,
such as false-positives. To create a new file exception entry, Add a
new entry and provide the partial hash, filename, and description
of the file that you want to exclude from enforcement. To
find an existing file exception, start typing the partial hash value,
file name, or description in the text box. A list of file exceptions matching
any of those values are displayed. You can find partial
hashes in the threat logs (Monitor > Logs > Threat). |