Content ID is built on single pass parallel Processing [SP3] architecture.
Multiple threat prevention e.g., AntiSpyWare [Adware, key Logger, P2P, Spyware etc.] URL Filtering, File Blocking, Anti-Virus etc. .
URL Admin Override: Set Password to allow websites which are blocked by firewall.
It uses a single stream-based engine with a uniform signature format.
Real Time Analysis
It scans traffic in real time, resembles packets as needed and only in very small amounts.
SP3 Architecture
Processing of a packet in one go or single pass reduces the processing overhead as processing is done in parallel at the hardware level.
Ingress Interface --> L2/L3 Networking --> USER ID (optional) --> APP-ID [Application Protocol Decoder, App Signature, Heuristic] --> Content ID [Data Filtering, Real Time Threat Prevention] --> Policy Engine
Here Content ID refers to different profiles which can be used to check data associated with packet.
To Configure this profile: Objects --> Security Profile
Objects --> Application --> Facebook-chat
Name: Facebook-chat
Standard Ports: tcp/80,443
Depends on: Facebook-base, mqtt <--- Applications need to be allowed
Implicitly Uses: jabber, web-browsing <--- This Applications will be used but not required to add.
Anti-Virus: Requires License
There is default Read Only Profile available with all security profiles.
URL FILTERING
To create profile, we need to clone existing & can modify accordingly
You may choose any category and choose what action to take.
e.g., Let's block news websites.
Actions:
Allow: URL is allowed without Logging
Alert: URL access will be allowed with Logging [Log is generated]
Block: Blocked with Logging and Response Page
Continue: Allowed after clicking CONTINUE tab on response page, logging
Override: Password is required to access URL with Logging
At the bottom there is hyperlink to check any site category.
We can even create our own custom category
Question: Do we need SSL Decryption Policy [HTTPS inspection] to control secure website such as Facebook or HDFCbank.com etc.
Answer: NO
Client Request: [Client SSL Hello Message]
SSL / TLS Version
Cipher Settings
Session Specific Data
SNI [Server Naming Identification - Extension] facebook.com etc.
So, from SNI Fw understands if it needs to block traffic or not.
Anti Vulnerability Profile
All Software & OS release time to time release updated version to remove Vulnerability.
They also release patches to protect existing version from existing Vulnerabilities.
PA with it's Vulnerability Profile can provide protection against these Vulnerabilities but best practice is to upgrade version or add patches from time to time.
File Blocking
To block High Risk Files both, upload and download on the basis of file extension.
WildFire
Public cloud/Private Cloud [in house analysis - M100/M500 Appliances].
Data Filtering
Data Loss Prevention or data Leakage on basis of pattern [credit card number]
Anti-Spyware Profile
Key Logger
Adware
P2P
Spyware
DNS [Domain Name System]
It is a name resolution service which resolves name to ip and vice versa.
DNS uses port 53 & used both TCP & UDP
Most of the time UDP is used but there are the following exceptions when TCP is being used.
1) When there is zone transfer between primary and secondary DNS.
Explanation: Usually the company will expose its Secondary DNS server which is just Read Only.
Modifications are done in Primary Server and it sync with Secondary. Hence if secondary is compromised then too attacker won't be able to modify DNS entries.
2) In rare scenario if response sent by server exceed size, then Server respond with Tructed Flag which indicate that this isn't complete response.
On receiving this Tructed Flag client reinitiate request to Server but this time with TCP.
DNS Sink holing
DNS Sinkholing is a mechanism to protect users by intercepting DNS requests attempting to connect to known malicious or unwanted domains and returning a false IP address (127.x.x.x, 169.254. x.x or 10.x.x.x).
How does Firewall know the client wants to connect to a malicious server?
We can point firewall to check database of external server which provide info of malicious server. This list is continuously updated.
Configuration Steps
Step1: Create Antispyware Profile [DNS Sink Hole - External domain List (optional)]
Step2: Associate profile with security policy.
Comments