Unable to modify a security profile in an SCM managed firewall

Unable to modify a security profile in an SCM managed firewall

1923
Created On 06/17/25 20:25 PM - Last Modified 07/07/25 21:15 PM


Symptom


  • The options to change anything in a profile in an SCM managed firewall are greyed-out thus unable to modify the same.
  • Even after cloning the profile, the option to modify does not work as the profile info is greyed-out.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Strata Cloud Manager (SCM)

Cause


  • The original profile being created from a Best Practice Template within SCM.
  • When deploying a security policy from a best practice template, certain aspects of those policies are often locked down by the template itself to ensure compliance with recommended security postures.
  • Even the cloned templates inherit the same properties.
 

Resolution


Create a new profile, rather than cloning a best practice template Use the steps below:
  1. Navigate to Security Profiles in SCM: In Strata Cloud Manager, go to the section where you manage your Security Profiles.
  2. Create a New File Blocking Profile: Look for an option to "Add" or "Create New" File Blocking Profile.
  3. Configure from Scratch: When creating the new profile, you will need to manually configure the desired file types and their corresponding actions (block, alert, continue, etc.).
    • For your specific need, you'll want to add the executable file type and set its action as "block," replicating your best practice preference.
    • For the file types you wish to modify (e.g., allow or alert instead of block), you can then set those actions accordingly.
  4. Apply the New Profile to your Security Policy: Once you've created and configured the new custom File Blocking Profile, you'll need to apply it to your relevant Security Policy rules. This involves:
    • Editing the Security Policy rule that currently uses the "locked" File Blocking Profile.
    • Changing the File Blocking Profile associated with that rule to your newly created custom profile.
  5. Deploy Changes: After making these modifications, remember to deploy the changes from SCM to your firewall.

Additional Information


  • Review all settings: When creating a new profile, Review all the necessary settings to avoid unintended security gaps.
  • Impact assessment: Before deploying, consider the potential impact of any changes to your security posture.
  • Documentation: As a good practice document the changes and the reasoning behind them.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000k9raKAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language