How to customize a security profile

A knowledge base article about How to customize a security profile provided by the UC Berkeley IT Service Hub - Knowledge Portal

For many campus firewall administrators, the Panorama “Security Profiles” created by the Information Security Office (ISO) should represent an acceptable balance between security and functionality and work in most cases. These shared profiles can be identified by their name starting with “ucbsec-”  and being located in the “Global” Device group. However, there may be some cases where it needs to be customized to meet an specific use case.

Below is an example of how to customize a File Blocking to allow the downloading of 7zip files.

Note: Without SSL/TLS decryption, the File Blocking profiles will only apply to files downloaded without that encryption. Many legitimate sites do use SSL/TLS so the current File Blocking profile will not interfere with downloads from those sites.

 

  1. Log into https://panorama.net.berkeley.edu using single sign-on
  2. From the tabs at the top of the window chose “Objects”
  3. Under “Security Profiles” in the left pane choose “File Blocking”
    Screenshot showing Security Profiles list with "File Blocking" selected
  4. From the List of File Blocking profiles select the one that most closely matches the desired profile (in this example it is the ucbsec-user profile)
    Screenshot of File Blocking profiles with ucbsec-user selected
  5. Click the “Clone” button
  6. When the “Clone” dialog box appears click “OK.” The Destination for the clone is where it will be placed. Make sure that it the destination is vsys being managed, in this example below the vsys is named ISP_Test1.
    Screenshot showing "okay" selected
  7. This will clone the profile to the departmental vsys and name it “ucbsec-user-1”
  8. Find the ucbsec-user-1 profile and click on it to bring up the “File Blocking Profile” window.
  9. Rename the profile to something that makes sense and will not be confused with any of the shared profiles. An example of this would be calling the profile “ISP_Test1 File Block’
  10. Once renamed, it is time to customize the profile. To remove 7Zip from the list of files being blocked, click on the box next to 7z (the 7Zip file extension) and select “Delete”
    Screenshot showing 7z selected for unblocking
  11. Click “OK”
  12. From the “Commit” menu near the top of the screen chose “Commit to Panorama“ and then when the commit option is finished, from the same menu select “Push to Device”
    Screenshot showing commit menu

 

At this point the new profile is available to add to any firewall rules.  If the custom profile is only to be used for an individual host then it’s fine to add it and any other profiles to the rule from its “Actions” tab and using the Profile Type “Profiles” to set all of the individual profiles (AntiVirus, Vulnerability Protection, etc.) individually. However, if this selection of profiles is to be used across multiple devices, then it is recommended to create a Profile Group that can be applied to any rule so that all of the individual Profiles are set consistently with only one Profile Group selection.