Objects > Security Profiles > Antivirus
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Objects > Security Profiles > Antivirus
Use the Antivirus Profiles page
to configure options to have the firewall scan for viruses on the
defined traffic. Set the applications that should be inspected for viruses
and the action to take when a virus is detected. The default profile
inspects all of the listed protocol decoders for viruses, generates
alerts for Simple Mail Transport Protocol (SMTP), Internet Message
Access Protocol (IMAP), and Post Office Protocol Version 3 (POP3),
and takes the default action for other applications (alert or deny),
depending on the type of virus detected. The profile will then be
attached to a Security policy rule to determine the traffic traversing
specific zones that will be inspected.
Customized profiles can be used to minimize antivirus inspection
for traffic between trusted security zones, and to maximize the
inspection of traffic received from untrusted zones, such as the
Internet, as well as the traffic sent to highly sensitive destinations,
such as server farms.
To add a new Antivirus profile, select
Add and enter the following settings:
Field | Description |
|---|---|
Name | Enter a profile name (up to 31 characters).
This name appears in the list of antivirus profiles when defining
security policies. The name is case-sensitive and must be unique.
Use only letters, numbers, spaces, hyphens, periods, and underscores. |
Description | Enter a description for the profile (up
to 255 characters). |
Shared (Panorama only) | Select this option if you want the profile
to be available to:
|
Disable override (Panorama only) | Select this option to prevent administrators
from overriding the settings of this Antivirus profile in device
groups that inherit the profile. This selection is cleared by default,
which means administrators can override the settings for any device
group that inherits the profile. |
Antivirus Tab Specify
the action for the different types of traffic, such as FTP and HTTP. | |
Packet Capture | Select this option if you want to capture
identified packets. |
Decoders and Actions | For each type of traffic that you want to
inspect for viruses, select an action from the drop-down. You can
define different actions for standard antivirus signatures (Action
column) and signatures generated by the WildFire system (WildFire
Action column). Some environments may have requirements for
a longer soak time for antivirus signatures, so this option enables
the ability to set different actions for the two antivirus signature
types provided by Palo Alto Networks. For example, the standard
antivirus signatures go through a longer soak period before being
released (24 hours), versus WildFire signatures, which can be generated
and released within 15 minutes after a threat is detected. Because
of this, you may want to choose the alert action on WildFire signatures
instead of blocking. For the best
security, clone the default Antivirus profile and set the Action
and WildFire Action for all the decoders to reset-both and
attach the profile to all Security policy rules that allow traffic. |
Applications Exceptions and Actions | The Applications Exception table
allows you to define applications that will not be inspected. For
example, to block all HTTP traffic except for a specific application,
you can define an antivirus profile for which the application is
an exception. Block is the action for the
HTTP decoder, and Allow is the exception
for the application. For each application exception, select the
action to be taken when the threat is detected. For a list of actions,
see Actions
in Security Profiles. To find an application, start
typing the application name in the text box. A matching list of
applications is displayed, and you can make a selection. If you believe a legitimate application
is incorrectly identified as carrying a virus (false positive),
open a support case with TAC so Palo Alto Networks can analyze and
fix the incorrectly identified virus. When the issue is resolved,
remove the exception from the profile. |
| Virus Exception Tab Use
the Virus Exception tab to define a list
of threats that will be ignored by the antivirus profile. Only create a virus exception if you are
sure an identified virus is not a threat (false positive). If you
believe you have discovered a false positive, open a support case
with TAC so Palo Alto Networks can analyze and fix the incorrectly
identified virus signature. When the issue is resolved, remove the
exception from the profile immediately. | |
Threat ID | To add specific threats that you want to
ignore, enter one Threat ID at a time and click Add.
Threat IDs are presented as part of the threat log information.
Refer to Monitor
> Logs. |