Threat signatures overview (original) (raw)

To protect your network from malicious attacks, Cloud Next Generation Firewall uses Palo Alto Networks signature-based threat detection technologies. Signature-based threat detection identifies malicious behavior by matching network traffic patterns against known threat signatures.

In this document, you learn about threat detection features and how they protect resources in your Virtual Private Cloud (VPC) network. You also learn how to use security profiles to override default actions and customize threat exceptions and antivirus behavior.

You can configure and manage the following threat detection features:

Default threat signatures
Supported threat severity levels
Threat exceptions
Antivirus

Default signature set

Cloud NGFW provides a default set ofthreat signaturesthat help you to safeguard your network workloads from threats. The signatures are used to detect vulnerabilities and spyware. To view all the threat signatures configured in Cloud NGFW, go to the threat vault. If you don't already have an account, sign-up for a new account.

Vulnerability detection signatures detect attempts to exploit system flaws or gain unauthorized access to systems. While anti-spyware signatures help identify infected hosts when traffic leaves the network, vulnerability detection signatures safeguard against threats that penetrate the network.
For example, vulnerability detection signatures help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default vulnerability detection signatures provide detection for clients and servers from all known critical-, high-, and medium-severity threats along with any low- and informational-severity threats.
Anti-spyware signatures detect spyware on compromised hosts. Such spyware might try to contact external command-and-control (C2) servers.
Antivirus signatures detect viruses and malware found in executables and file types.

Each threat signature also has a default actionassociated with it. You can usesecurity profiles to override the actions for these signatures, and reference these profiles as part of asecurity profile groupin a firewall policy rule. If any configured threat signature is detected in the intercepted traffic, the firewall endpointperforms the corresponding action specified in the security profile on the matched packets.

Threat severity levels

A threat signature's severity indicates the risk of the detected event, and Cloud NGFW generates alerts for matching traffic. The following table summarizes the threat severity levels.

Severity	Description
Critical	Serious threats cause root compromise of servers. For example, threats that affect default installations of widely deployed software and where exploit code is widely available to the attackers. The attacker usually does not need any special authentication credentials or knowledge about the individual victims, and the target does not need to be manipulated into performing any special functions.
High	Threats that have the ability to become critical but there are mitigating factors. For example, they might be difficult to exploit, don't result in elevated privileges, or don't have a large victim pool.
Medium	Minor threats in which impact is minimized and that don't compromise the target, or exploits that require an attacker to reside on the same local network as the victim. Such attacks affect only non-standard configurations or obscure applications, or they provide very limited access.
Low	Warning-level threats that have very little impact on an organization's infrastructure. Such threats usually require local or physical system access and can often result in victim privacy issues and information leaks.
Informational	Suspicious events that don't pose an immediate threat, but that are reported to indicate deeper problems that could possibly exist.

Threat exceptions

If you want to suppress or increase alerts on specific threat signature IDs, you can use security profiles to override the default actions associated with threats. You can find the threat signature IDs of existing threats detected by Cloud NGFW in your threat logs.

Cloud NGFW provides visibility on threats that are detected in your environment. To view threats detected in your network, see View threats.

Antivirus

By default, Cloud NGFW generates an alert when it finds a virus threat in the network traffic of any of its supported protocols. You can use security profiles to override this default action, and allow or deny the network traffic based on the network protocol.

Supported protocols

Cloud NGFW supports the following protocols for antivirus detection:

SMTP
SMB
POP3
IMAP
HTTP2
HTTP
FTP

Supported actions

Cloud NGFW supports the following antivirus actions for its supported protocols:

DEFAULT: the default behavior of Palo Alto Networks antivirus action.
If a threat is found in the SMTP, IMAP, or POP3 protocol traffic, Cloud NGFW generates an alert in the threat logs. If a threat is found in the FTP, HTTP, or SMB protocol traffic, Cloud NGFW blocks the traffic. For more information, see the Palo Alto Networks actions documentation.
ALLOW: allow the traffic.
DENY: deny the traffic.
ALERT: generate an alert in the threat logs. This is the default behavior of Cloud NGFW.

Best practices for using the antivirus actions

We recommend that you configure the antivirus actions to deny all virus threats. Use the following guidance to determine whether to deny the traffic or generate an alert:

For business-critical applications, start with the security profile's action set to alert. This setting lets you monitor and assess threats without disrupting the traffic. After you confirm that the security profile meets your business and security requirements, you can change the security profile's action to deny.
For non-critical applications, set the security profile's action to deny. It's safe to block malicious traffic for non-critical applications immediately.

To set up an alert or to deny network traffic for all supported network protocols, use the following commands:

To set up an alert action on antivirus threats for all supported protocols:
gcloud network-security security-profiles threat-prevention add-override NAME \
--antivirus SMB,IMAP,HTTP,HTTP2,FTP,SMTP,POP3 \
--action ALERT \
--organization ORGANIZATION_ID \
--location LOCATION \
--project PROJECT_ID
Replace the following:
- NAME: the name of the security profile; you can specify the name as a string or as a unique URL identifier.
- ORGANIZATION_ID: the organization where the security profile is created.
  If you use a unique URL identifier for thename flag, you can omit the organization flag.
- LOCATION: the location of the security profile.
  Location is always set to global. If you use a unique URL identifier for the name flag, you can omit the location flag.
- PROJECT_ID: the project ID to use for quotas and access restrictions on the security profile.
To set up a deny action on antivirus threats for all supported protocols:
gcloud network-security security-profiles threat-prevention add-override NAME \
--antivirus SMB,IMAP,HTTP,HTTP2,FTP,SMTP,POP3 \
--action DENY \
--organization ORGANIZATION_ID \
--location LOCATION \
--project PROJECT_ID
Replace the following:
- NAME: the name of the security profile; you can specify the name as a string or as a unique URL identifier.
- ORGANIZATION_ID: the organization where the security profile is created.
  If you use a unique URL identifier for thename flag, you can omit the organization flag.
- LOCATION: the location of the security profile.
  Location is always set to global. If you use a unique URL identifier for the name flag, you can omit the location flag.
- PROJECT_ID: the project ID to use for quotas and access restrictions on the security profile.

For more information about how to set up the override, seeAdd override actions in a threat prevention security profile.

Content update frequency

Cloud NGFW automatically updates all signatures without any user intervention, enabling you to focus on analyzing and resolving threats without managing or updating signatures.

Updates from Palo Alto Networks are picked up by Cloud NGFW and pushed to all the existing firewall endpoints. Update latency is estimated to be up to 48 hours.

View logs

Several features of Cloud NGFW generate alerts, which are sent to the threat log. For more information about logging, seeCloud Logging.