Vulnerability Protection Profile Configuration Object

Table of Contents

• Vulnerability Protection Profile Configuration Object
• Table of Contents
• Overview
• Core Methods
• Vulnerability Protection Profile Model Attributes
  • Rule Attributes
  • Threat Exception Attributes
• Exceptions
• Basic Configuration
• Usage Examples
  • Creating Vulnerability Protection Profiles
  • Basic Vulnerability Protection Profile
  • Comprehensive Vulnerability Protection Profile
  • Updating Vulnerability Protection Profiles
  • Deleting Vulnerability Protection Profiles
• Error Handling
• Best Practices
  • Rule Design
  • CVE Management
  • Exception Handling
  • Performance Considerations
  • Security Best Practices
  • Change Management
• Related Modules

Overview

The vulnerability_protection_profile Ansible module provides functionality to manage Vulnerability Protection Profile objects in Palo Alto Networks' Strata Cloud Manager (SCM). These profiles enable security teams to detect and respond to known vulnerabilities based on severity, category, and specific CVEs.

Core Methods

Method	Description	Parameters	Return Type
create()	Creates a new vulnerability protection profile	data: Dict[str, Any]	VulnerabilityProtectionProfileResponseModel
update()	Updates an existing profile	profile: VulnProtectionProfileUpdateModel	VulnerabilityProtectionProfileResponseModel
delete()	Removes a profile	object_id: str	None
fetch()	Gets a profile by name	name: str, container: str	VulnerabilityProtectionProfileResponseModel
list()	Lists profiles with filtering	folder: str, **filters	List[VulnerabilityProtectionProfileResponseModel]

Vulnerability Protection Profile Model Attributes

Attribute	Type	Required	Description
name	str	Yes	Name of the vulnerability protection profile (max 63 chars)
description	str	No	Description of the profile (max 1023 chars)
rules	list	Yes	List of rule configurations to protect against vulnerabilities
threat_exception	list	No	List of exceptions to the vulnerability rules
folder	str	One container	The folder in which the profile is defined (max 64 chars)
snippet	str	One container	The snippet in which the profile is defined (max 64 chars)
device	str	One container	The device in which the profile is defined (max 64 chars)

Rule Attributes

Attribute	Type	Required	Description
name	str	Yes	Name of the rule
severity	list	Yes	List of severity levels this rule applies to
category	str	Yes	Category of vulnerability that this rule applies to
host	str	Yes	Type of host (client or server) that this rule applies to
cve	list	No	List of CVE IDs that this rule applies to
vendor	list	No	List of vendor names to match in this rule
packet_capture	str	No	Type of packet capture to perform when rule matches
action	str/dict	Yes	Action to take when the rule matches (can be string like "reset-both" or dictionary like {"reset_both": {}})
block_ip_track_by	str	No	Tracking method for block-ip action
block_ip_duration	int	No	Duration in seconds for block-ip action

Threat Exception Attributes

Attribute	Type	Required	Description
name	str	Yes	Name of the threat exception
packet_capture	str	Yes	Type of packet capture to perform for this exception
exempt_ip	list	No	List of IP addresses to exempt from this rule
notes	str	No	Additional notes for the threat exception
action	str/dict	Yes	Action to take for excepted traffic (can be string like "alert" or dictionary like {"alert": {}})
block_ip_track_by	str	No	Tracking method for block-ip action in exception
block_ip_duration	int	No	Duration in seconds for block-ip action in exception

Exceptions

Exception	Description
InvalidObjectError	Invalid profile data or format
NameNotUniqueError	Profile name already exists
ObjectNotPresentError	Profile not found
MissingQueryParameterError	Missing required parameters
AuthenticationError	Authentication failed
ServerError	Internal server error

Basic Configuration

The Vulnerability Protection Profile module requires proper authentication credentials to access the Strata Cloud Manager API.

- name: Basic Vulnerability Protection Profile Configuration
  hosts: localhost
  gather_facts: false
  vars:
    provider:
      client_id: "your_client_id"
      client_secret: "your_client_secret"
      tsg_id: "your_tsg_id"
      log_level: "INFO"
  tasks:
    - name: Ensure a vulnerability protection profile exists
      cdot65.scm.vulnerability_protection_profile:
        provider: "{{ provider }}"
        name: "Critical-Vulnerabilities"
        description: "Profile to protect against critical vulnerabilities"
        folder: "Shared"
        rules:
          - name: "Block-Critical-Vulnerabilities"
            severity: [ "critical" ]
            category: "any"
            host: "any"
            action: "reset-both"
            packet_capture: "single-packet"
        state: "present"

Usage Examples

Creating Vulnerability Protection Profiles

Vulnerability protection profiles can contain multiple rules to detect and respond to different types of vulnerabilities.

Basic Vulnerability Protection Profile

This example creates a simple vulnerability protection profile with a basic rule.

- name: Create a basic vulnerability protection profile
  cdot65.scm.vulnerability_protection_profile:
    provider: "{{ provider }}"
    name: "Basic-Vuln-Protection"
    description: "Basic vulnerability protection profile"
    folder: "Texas"
    rules:
      - name: "Block-Critical-Vulnerabilities"
        severity: [ "critical" ]
        category: "any"
        host: "any"
        action: { "reset_both": { } }
        packet_capture: "single-packet"
        cve: [ "any" ]
        vendor: [ "any" ]
    state: "present"

Comprehensive Vulnerability Protection Profile

This example creates a more comprehensive profile with multiple rules and exceptions.

- name: Create a comprehensive vulnerability protection profile
  cdot65.scm.vulnerability_protection_profile:
    provider: "{{ provider }}"
    name: "Advanced-Vuln-Protection"
    description: "Advanced vulnerability protection with specific CVEs and exceptions"
    folder: "Texas"
    rules:
      - name: "Block-Critical-RCE"
        severity: [ "critical" ]
        category: "code-execution"
        host: "server"
        action: { "reset_both": { } }
        packet_capture: "extended-capture"
        cve: [ "CVE-2021-44228" ]
        vendor: [ "any" ]
      - name: "Block-SQL-Injection"
        severity: [ "critical", "high" ]
        category: "sql-injection"
        host: "server"
        action: { "reset_client": { } }
        packet_capture: "disable"
        cve: [ "any" ]
        vendor: [ "any" ]
      - name: "Alert-XSS"
        severity: [ "high", "medium" ]
        category: "code-execution"
        host: "client"
        action: { "alert": { } }
        packet_capture: "disable"
        cve: [ "any" ]
        vendor: [ "any" ]
    threat_exception:
      - name: "DevEx"
        packet_capture: "single-packet"
        action: { "alert": { } }
        exempt_ip:
          - name: "10.0.2.0/24"
        notes: "Exception for dev environment testing"
    state: "present"

Updating Vulnerability Protection Profiles

This example updates an existing vulnerability protection profile with additional rules.

- name: Update a vulnerability protection profile
  cdot65.scm.vulnerability_protection_profile:
    provider: "{{ provider }}"
    name: "Basic-Vuln-Protection"
    description: "Updated vulnerability protection profile"
    folder: "Texas"
    rules:
      - name: "Block-Critical-Vulnerabilities"
        severity: [ "critical" ]
        category: "any"
        host: "any"
        action: { "reset_both": { } }
        packet_capture: "single-packet"
        cve: [ "any" ]
        vendor: [ "any" ]
      - name: "Alert-High-Vulnerabilities"
        severity: [ "high" ]
        category: "any"
        host: "any"
        action: { "alert": { } }
        packet_capture: "disable"
        cve: [ "any" ]
        vendor: [ "any" ]
      - name: "Monitor-Medium-Vulnerabilities"
        severity: [ "medium" ]
        category: "any"
        host: "any"
        action: { "alert": { } }
        packet_capture: "disable"
        cve: [ "any" ]
        vendor: [ "any" ]
    state: "present"

Deleting Vulnerability Protection Profiles

This example removes a vulnerability protection profile.

- name: Delete a vulnerability protection profile
  cdot65.scm.vulnerability_protection_profile:
    provider: "{{ provider }}"
    name: "Basic-Vuln-Protection"
    folder: "Texas"
    state: "absent"

Error Handling

It's important to handle potential errors when working with vulnerability protection profiles.

- name: Create or update vulnerability protection profile with error handling
  block:
    - name: Ensure vulnerability protection profile exists
      cdot65.scm.vulnerability_protection_profile:
        provider: "{{ provider }}"
        name: "Basic-Vuln-Protection"
        description: "Basic vulnerability protection profile"
        folder: "Texas"
        rules:
          - name: "Block-Critical-Vulnerabilities"
            severity: [ "critical" ]
            category: "any"
            host: "any"
            action: "reset-both"
        state: "present"
      register: profile_result

  rescue:
    - name: Handle errors
      debug:
        msg: "An error occurred: {{ ansible_failed_result.msg }}"

Best Practices

Rule Design

• Create specific, well-defined rules for precise vulnerability detection
• Use descriptive rule names that indicate their purpose
• Organize rules by severity and category for better management
• Consider the impact of the action (alert vs. block) based on the environment
• Align rule design with your organization's security policies

CVE Management

• Use CVE references for critical vulnerabilities that need specific protection
• Update CVE lists regularly to address new vulnerabilities
• Balance specificity with maintenance overhead
• Implement a process for adding new CVEs as they are published
• Prioritize CVEs based on relevance to your environment

Exception Handling

• Use exceptions judiciously, only for necessary cases
• Document the reason for each exception thoroughly
• Review exceptions regularly to ensure they're still required
• Use IP-based exceptions only when necessary
• Implement a robust change management process for exceptions

Performance Considerations

• Avoid overly broad rules that might impact performance
• Consider the impact of packet capture on network and storage resources
• Prioritize critical rules to ensure efficient processing
• Monitor the performance impact of vulnerability protection profiles
• Test rules in a lab environment before deploying to production

Security Best Practices

• Start with alert actions before moving to blocking actions
• Test profiles in a non-production environment first
• Document the rationale for each rule and action
• Regularly review profiles to ensure continued relevance
• Align profiles with your organization's vulnerability management program

Change Management

• Document all vulnerability protection profiles and changes
• Implement change control procedures for profile modifications
• Consider the impact of changes on other security controls
• Maintain a history of profile changes for audit purposes

Related Modules

• vulnerability_protection_profile_info - Retrieve information about vulnerability protection profiles
• anti_spyware_profile - Manage anti-spyware profiles for additional protection
• security_rule - Configure security policies that use vulnerability protection profiles
• security_profiles_group - Configure security profile groups with vulnerability protection
• wildfire_antivirus_profiles - Manage wildfire antivirus profiles for additional protection
• dns_security_profile - Manage DNS security profiles for additional protection