How to set up the threshold time for application/threat content updates based on security-first or mission-critical first
Objective
When a new application and threat signatures are delivered in a single content update package, it is possible to have an application that is new or can match one of your custom applications, and a new threat signature may match benign traffic. The article covers the best strategy to reduce possible False-Positives in the network.
Environment
- Palo Alto Firewall.
- Any PAN-OS
- Content Updates.
Procedure
Application and Threat updates can be installed at different times although they have been delivered on the same package. Organizations can be classified as "security-first" or "mission-critical".
There are some common practices that should be applied as follows.
- Review content release notes for the new app and threat. Use at GUI: Device >Dynamic Updates > (select a threat version) and click on Release Notes
- Release notes provide information on the newly-identified and modified application and threat signatures. This may impact existing security policies.
- Review the recommendations for modifying your security policy to take the best advantage of new protection.
- Go to the customer support Portal and subscribe to content update emails.
The security-first organization will prioritize protection over applications, the first priority is attack defense.
- If possible, stagger the roll-out of new content. If you have a Firewall in a location that has fewer users or less business risk, install the new content at that location and monitor.
- Check the new threat signature that can affect the connectivity, such as authentication, brute force signature.
- You can schedule the content updates "download and install" with a threshold up to six to twelve hours before the content is installed.
- Install 911 contents as fast as possible.
For mission-critical operations where availability is the primary directive, we prioritize uptime over immediate threat signature updates. If your security policies rely on App-ID, any modification to application signatures in a content update could inadvertently reclassify traffic and trigger a policy mismatch, resulting in service disruption. To maintain our zero-downtime standard, we implement a controlled staging period for all signature updates.
- Once you identify the App-IDs, Create a security policy rule to allow the mission-critical App-IDs such as authentication, updates, application updates. Refer Manage New and Modified App-IDs.
- Create an application filter in critical categories for new App-IDs. Use this application filter in your security policy rule with the appropriate action.
- You can schedule the content updates "download and install" automatically with a threshold up to 24 to 48 hours before the content is installed.