Security Profiles Overview
Security profiles are applied to security policy rules with an Allow action to inspect permitted traffic for threats. Profiles do NOT apply to Deny/Drop rules (traffic is already blocked). There are six types of security profiles:
| Profile Type | Function | License Required |
|---|
| Antivirus | Detects known malware, viruses, and spyware in files and traffic | Threat Prevention |
| Anti-Spyware | Detects spyware downloads and command-and-control (C2) traffic | Threat Prevention |
| Vulnerability Protection | IPS -- blocks exploit attempts targeting known vulnerabilities (CVEs) | Threat Prevention |
| URL Filtering | Controls web access by URL category (block, alert, allow, continue, override) | URL Filtering (PAN-DB) |
| File Blocking | Blocks or alerts on specific file types (exe, dll, pdf, etc.) by direction | None (built-in) |
| WildFire Analysis | Sends unknown files to WildFire cloud sandbox for zero-day analysis | WildFire |
Security Profile Groups vs Individual Profiles
You can attach security profiles to rules in two ways:
| Method | Description | Best For |
|---|
| Individual Profiles | Select each profile type separately on the rule | Granular control, unique per-rule needs |
| Security Profile Group | Pre-defined bundle of profiles applied as a single unit | Consistency, easier management across many rules |
Best Practice Profiles: PAN-OS includes predefined best practice security profiles (e.g., "strict" and "default") for each profile type. Palo Alto recommends starting with "strict" profiles and adjusting exceptions as needed rather than building profiles from scratch.
Tip: Security profiles are only enforced on rules with an Allow action. If a rule denies traffic, attaching a security profile has no effect -- the traffic is already dropped before content inspection.
Antivirus & Anti-Spyware Profiles
Antivirus Profile: Inspects traffic for known malware using signature-based detection. Configurable actions per protocol (HTTP, SMTP, FTP, SMB, IMAP, POP3). Decoder actions: Alert, Allow, Drop, Reset. The WildFire inline ML feature adds machine learning-based detection for unknown threats in real time.
Anti-Spyware Profile: Focuses on detecting outbound C2 (command-and-control) callbacks and spyware phone-home activity. Key features include DNS sinkhole (redirects malicious DNS lookups to a sinkhole IP to identify infected hosts), passive DNS monitoring, and botnet detection by severity level.
| Anti-Spyware Feature | Description |
|---|
| DNS Sinkhole | Forges DNS response for malicious domains, redirecting to a sinkhole IP (e.g., 72.5.65.111). Infected hosts are identified by traffic to the sinkhole. |
| Passive DNS Monitoring | Sends DNS query data to Palo Alto threat intelligence for analysis without affecting traffic flow |
| Severity-based Actions | Configure different actions (alert, drop, reset, block-ip) per threat severity (critical, high, medium, low, informational) |
Vulnerability Protection Profile
The vulnerability protection profile functions as an IPS (Intrusion Prevention System). It detects and blocks exploit attempts that target known software vulnerabilities. Signatures are updated regularly via the Threat Prevention dynamic updates.
- Rules: Define actions per severity level, CVE ID, vendor, or category
- Exceptions: Override actions for specific threat IDs (e.g., allow a specific signature that causes false positives)
- Actions: Default, Allow, Alert, Drop, Reset Client, Reset Server, Reset Both, Block IP
- Direction: Client-to-server (protects servers), Server-to-client (protects clients), Both
URL Filtering Profile
URL Filtering uses the PAN-DB cloud-based URL categorization database to control web access. Each URL is categorized, and the profile defines an action per category.
| Action | Behavior |
|---|
| Allow | Permits access, no log entry by default |
| Alert | Permits access but generates a URL filtering log entry |
| Block | Blocks access and displays a block page to the user |
| Continue | Displays a warning page; user can click to proceed |
| Override | Requires a password to proceed past the block page |
Custom URL categories can be created to define specific URLs or domains with a custom action. HTTP Header Insertion allows injecting headers for SaaS tenant restrictions (e.g., restrict O365 to corporate tenant only).
File Blocking & WildFire
File Blocking: Controls file transfers based on file type, application, and direction (upload/download). Actions: Alert (log only), Block (prevent transfer), Continue (warn user). No separate license required.
WildFire: Cloud-based sandbox that analyzes unknown or suspicious files for zero-day threats. Files are submitted to the WildFire cloud (or a WildFire appliance for on-premises), analyzed in virtual environments, and a verdict is returned (benign, malware, grayware, phishing). WildFire generates signatures within minutes and distributes them globally.
- Basic WildFire: Included with Threat Prevention license, updates every 24-48 hours
- WildFire Subscription: Real-time updates within 5 minutes, advanced file type support, API access
SSL/TLS Decryption
Decryption policies allow the firewall to inspect encrypted HTTPS traffic. Without decryption, App-ID and Content-ID have limited visibility into SSL/TLS sessions.
| Decryption Type | Description |
|---|
| SSL Forward Proxy | Decrypts outbound HTTPS from internal users to external sites. Firewall acts as a man-in-the-middle with a trusted CA certificate. |
| SSL Inbound Inspection | Decrypts inbound HTTPS to internal servers. Requires importing the server's private key and certificate on the firewall. |
| SSH Proxy | Decrypts SSH tunnels to detect tunneled traffic (e.g., SSH tunnel carrying non-SSH traffic). |
| No Decrypt | Explicitly excludes traffic from decryption (health, finance, or pinned certificates). |
Tip: For SSL Forward Proxy, deploy the firewall's self-signed CA certificate to all client machines via GPO or MDM. Otherwise, users will see certificate trust errors in their browsers.
Logging & Monitoring
| Log Type | Description |
|---|
| Traffic | Session start/end logs for all traffic matching security rules (must enable logging on each rule) |
| Threat | Threats detected by security profiles (antivirus, IPS, spyware, URL filtering) |
| URL Filtering | Web access log entries generated by URL filtering profile actions |
| WildFire Submissions | Files submitted to WildFire and their analysis verdicts |
| Data Filtering | DLP pattern matches (credit card numbers, SSNs, custom patterns) |
| System | System events (config changes, HA failover, upgrades, hardware failures) |
| Configuration | Audit trail of all configuration changes by administrator |
| Authentication | Captive portal, GlobalProtect, and admin authentication events |
Log Forwarding: Logs can be forwarded to external systems via syslog, SNMP traps, email alerts, HTTP server profiles, or to Panorama/Cortex Data Lake. Log forwarding profiles are attached to security policy rules to define which log types to forward and where.
Tip: By default, security rules do NOT log traffic at session start -- only at session end. Enable "Log at Session Start" if you need real-time visibility, but be aware this doubles the log volume.
GlobalProtect Overview
GlobalProtect is Palo Alto's VPN and endpoint protection solution. It extends the firewall's security policies to remote users and mobile devices.
| Component | Function |
|---|
| GlobalProtect Portal | Provides client configuration, distributes the GP agent, manages client settings and gateway lists |
| GlobalProtect Gateway | Terminates VPN tunnels, enforces security policies on remote user traffic |
| GlobalProtect Agent | Client software on user devices (Windows, Mac, Linux, iOS, Android) |
The portal and gateway can run on the same firewall or on separate firewalls. Authentication methods include LDAP, RADIUS, SAML, client certificates, and multi-factor authentication.