6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic


For any security rule allowing traffic, apply a securely configured Vulnerability Protection Profile. Careful analysis of the target environment should be performed before implementing this configuration, as outlined by PAN's 'Threat Prevention Deployment Tech Note' in the references section.


A Vulnerability Protection Profile helps to protect assets by alerting on, or blocking network attacks. By applying a secure Vulnerability Protection Profile to all security rules permitting traffic, all network traffic traversing the firewall will be inspected for attacks. This protects both organizational assets from attack and organizational reputation from damage.

Note that encrypted sessions do not allow for complete inspection.


Not configuring a Vulnerability Protection Profile means that network attacks will not be logged, alerted on or blocked.


Navigate to Policies > Security.
For each Policy, under the Actions tab, select Vulnerability Protection.
Set it to use either the 'Strict' or the 'Default' profile, or a custom profile that complies with the organization's policies, legal and regulatory requirements.

Default Value:

Not Configured

See Also


Item Details


References: 800-53|RA-5, CSCv7|8, CSCv7|12.6

Plugin: Palo_Alto

Control ID: 9ccb9ab5e9cb607e5e5ea69eba8b28731ec905d374ba7dcd67c870b91e3bc9e5