Details
EXTREME CAUTION MUST BE USED BEFORE IMPLEMENTING THIS RECOMMENDATION, AS CERTAIN TRAFFIC PERMITTED BY DEFAULT WILL BE DENIED UNLESS SPECIFICALLY ALLOWED. Create a security rule at the bottom of the security policies ruleset denying any traffic, regardless of source, destination, or application. Ensure this policy is set to log at session end, just before pre-defined intrazone-default and interzone-default rules.
Rationale:
In incident response, logging denied traffic is often just as important as logging permitted traffic. The logs for denied traffic can be used to establish a pattern of failed attack attempts before the final attack succeeds. This can be used in attribution and identification of the attacker, but can also be used to help identify which defenses need shoring up to defend against future attacks. Viewing denied traffic can also be useful for understanding how security policies are affecting traffic.
Palo Alto firewalls do not log denied traffic by default. Therefore, to acquire visibility to denied traffic, a ‘deny and log’ policy must be created at the end of the security policy ruleset.
Solution
Navigate to Policies > Security.
Set a Security Policy with: Name set to ‘Deny and Log Any’ Source: Zone set to Any Address set to Any Destination: Zone set to Any Address set to Any Application set to Any Service set to Any Action set to Block Profile set to None
Default Value:
Not Configured
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Palo_Alto.