The Palo Alto Networks security platform must send an immediate (within seconds) alert to, at a minimum, the SCA when malicious code is detected.

From Palo Alto Networks IDPS Security Technical Implementation Guide

Part of SRG-NET-000249-IDPS-00222

Associated with: CCI-001243

SV-77153r1_rule The Palo Alto Networks security platform must send an immediate (within seconds) alert to, at a minimum, the SCA when malicious code is detected.

Vulnerability discussion

Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded.The IDPS generates an immediate (within seconds) alert which notifies designated personnel of the incident. Sending a message to an unattended log or console does not meet this requirement since that will not be seen immediately. These messages should include a severity level indicator or code as an indicator of the criticality of the incident.When the Palo Alto Networks security platform blocks malicious code, it also generates a record in the threat log. This message has a medium severity.

Check content

The following is an example of how to check if the device is sending messages to e-mail; this is one option that meets the requirement. If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to verify that function. Go to Device >> Server Profiles >> Email If there is no Email Server Profile configured, this is a finding. Go to Objects >> Log forwarding If there is no Email Forwarding Profile configured, this is a finding. Go to Policies >> Security View the Security Policy that is used to detect malicious code (the "Profile" column does display the Antivirus Profile symbol); in the "Options" column, if the Email Forwarding Profile is not used, this is a finding.

Fix text

The following is an example of how to configure the device to send messages to e-mail; this is one option that meets the requirement. If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to configure that function. To create an email server profile: Go to Device >> Server Profiles >> Email Select "Add". In the "Email Server Profile" field, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information. In the "Name" field, enter the name of the Email server. In the "Email Display" Name field, enter the name shown in the "From" field of the email. In the "From" field, enter the "From email address". In the "To" field, enter the email address of the recipient. In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list. In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email. Select "OK". After you create the Server Profiles that define where to send your logs, you must enable log forwarding. Threat Logs—Enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection). Configure the log-forwarding profile to select the logs to be forwarded to Email server. Go to Objects >> Log forwarding The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Name" Field, enter the name of the Log Forwarding Profile. In the "Threat Settings Section" in the "Email" column, select the Email server profile for forwarding threat logs to the configured server(s). Select "OK". When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile. For Threat Logs, use the log forwarding profile in the security rules. Go to Policies >> Security Rule Select the rule for which the log forwarding needs to be applied, which in this case is the Security Policy that is used to detect malicious code (the "Profile column" does display the Antivirus Profile symbol). Apply the log forwarding profile to the rule. In the "Actions" tab in the "Log Setting" section; in the "Log Forwarding" field, select the log forwarding profile from drop-down list. Note that the "Log Forwarding" field can only have one profile. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer