: Actions in Security Profiles
Focus
Focus

Actions in Security Profiles

Table of Contents

Actions in Security Profiles

The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo Alto Networks includes a default action, which is typically either set to Alert, which informs you using the option you have enabled for notification, or to Reset Both, which resets both sides of the connection. However, you can define or override the action on the firewall. The following actions are applicable when defining Antivirus profiles, Anti-Spyware profiles, Vulnerability Protection profiles, custom spyware objects, custom vulnerability objects, or DoS Protection profiles.
Action
Description
Antivirus Profile
Anti-Spyware profile
Vulnerability Protection Profile
Custom Object—Spyware and Vulnerability
DoS Protection Profile
Default
Takes the default action that is specified internally for each threat signature.
For antivirus profiles, it takes the default action for the virus signature.
Random Early Drop
Allow
Permits the application traffic.
The Allow action does not generate logs related to the signatures or profiles.
Alert
Generates an alert for each application traffic flow. The alert is saved in the threat log.
Generates an alert when attack volume (cps) reaches the Alarm threshold set in the profile.
Drop
Drops the application traffic.
Reset Client
For TCP, resets the client-side connection.
For UDP, the connection is dropped
Reset Server
For TCP, resets the server-side connection.
For UDP, the connection is dropped
Reset Both
For TCP, resets the connection on both client and server ends.
For UDP, the connection is dropped
Block IP
Blocks traffic from either a source or a source-destination pair; Configurable for a specified period of time.
Sinkhole
This action directs DNS queries for malicious domains to a sinkhole IP address.
The action is available for Palo Alto Networks DNS- signatures and for custom domains included in Objects > External Dynamic Lists.
Random Early Drop
Causes the firewall to randomly drop packets when connections per second reach the Activate Rate threshold in a DoS Protection profile applied to a DoS Protection rule.
SYN Cookies
Causes the firewall to generate SYN cookies to authenticate a SYN from a client when connections per second reach the Activate Rate Threshold in a DoS Protection profile applied to a DoS Protection rule.
You cannot delete a profile that is used in a policy rule; you must first remove the profile from the policy rule.