This blog is here to provide best practice recommendations with actions that Palo Alto Networks firewall administrators can take to prevent these vulnerabilities.
What is Meltdown & Spectre?
They are two security vulnerabilities which could allow attackers to abuse ‘speculative memory’ to access privileged memory to steal your passwords, encryption keys and additional private information. The vulnerabilities are found in processors from Intel, Arm & AMD.
Palo Alto official response to the Meltdown and Spectre findings
Recommended Palo Alto Firewall Best Practise Configuration
Follow these steps to configure the Palo Alto Networks firewall best practise to provide as much protection as is possible to your endpoint infrastructure against Meltdown and Spectre.
1. Application and Threats Update Schedule
Device >Dynamic Updates >Applications & threats schedule is configured to update Daily, before the office opens in each geographic location, this will ensure the latest updates are installed before the endpoints come online for the business day. If you are running PAN-OS 8.x.x you can use a 30 or 60 minute schedule.
2. Vulnerability Protection Configuration
Check the configuration on each Vulnerability Protection objects and confirm simple-client-critical is Severity = critical & Action = reset-both, if your are not sure of the config, start with a fresh object, clone the strict object, rename and use.
a. Objects >Security Profiles >Vulnerability Protection ><object name> >simple-client-critical >Severity >critical
b. Objects >Security Profiles >Vulnerability Protection ><object name> >simple-client-critical >Action >reset-both
3. Security Policy Configuration Review
Review each Security Policy and confirm or assign the correct Vulnerability Protection object. Use either Profiles or Security profile group. To meet the best practise recommendations, a Vulnerability Protection object should be assigned to every Security Policy.
Policies >Security Policies ><Rule number> >Actions >Profile Setting >Vulnerability Protection ><apply object>
Please contact us at firstname.lastname@example.org if you need any help to implement these steps.