Includes:
- template releases
- tools updates
- documentation revisions
Template content updates are high level. Details can be found in the template guides.
Released December 27th, 2022
- Update Vulnerability Protection Profiles to include Inline Cloud Analysis for Advanced Threat Prevention
- Added and configured "SQL Injection" and "Command Injection" to Vulnerability Protection Profiles
- Added new Advanced URL categories "ransomware" and "encrypted-dns"
- Fixed Panorama duplicate template stack "sample_stack" entry error
Template content updates are high level. Details can be found in the template guides.
Released February 15th, 2023
- Updated AS profiles to enable cloud inline analysis
- Set all cloud inline analysis engine models with the respective best-practice actions for each AS profile
Released March 30th, 2022
- Update AV profiles to include inline ML MsOffice and Shell analysis support settings
- Enabled cloud-delivered Advanced Threat Protection for URL Filtering profiles
- Added Tor Exit and Bulletproof IP addresses External Dynamic Lists
- Disabled Wildfire reporting of benign files
- Added an Alert Only Zone Protection profile
- Removed all Exception Profiles
Template content updates are high level. Details can be found in the template guides.
Released June 30th, 2021
- Update Alert-Only-AV profile to have ELF file detection and prevention set to Alert-Only
- Update all other AV profiles to have ELF file detection and prevention set to Enable
Released June 10th, 2021
- URL filtering profiles: Updating real-time-detection category in the following URL Filtering profiles, Outbound-URL, Alert-Only-URL and Exception-URL
- URL filtering profiles: set real-time-detection to alert
- Anti-Spyware profiles: Updating the following DNS policies, Phishing Domains, Grayware Domains and proxy Avoidance and Anonymizers within the following anti-spyware profiles Outbound-AS, Inbound-AS and Internal-AS
- Anti-Spyware profiles: set DNS policies to sinkhole/single-packet
- Anti-Spyware profiles: Updating all DNS policies within Alert-Only-AS anti-spyware profile to allow/single-packet except for Parked Domains
- Anti-Spyware profiles: set DNS policies to allow/single-packet
- Allow packet buffer protection
- Allow forwarding of decrypted content
Template content updates are high level. Details can be found in the template guides.
Released June 30th, 2021
- Update Alert-Only-AV profile to have ELF file detection and prevention set to Alert-Only
- Update all other AV profiles to have ELF file detection and prevention set to Enable
Released June 17th, 2021
- URL filtering profiles: Updating real-time-detection category in the following URL Filtering profiles, Outbound-URL, Alert-Only-URL and Exception-URL
- Added playlists directory and IronSkillet Components Submodules
- Update IronSkillet Submodules repo with real-time-detection category
Released July 21, 2020
- set Wildfire dynamic updates to realtime
- Antivirus profile: reset-both for dynamic classification, all file types enabled
- Anti-spyware profile: set DNS malicious categories to sinkhole
- set max version of TLSv1.3 in the decryption profile
- URL filtering profile: use ML analysis and set to dynamic classification to block
- URL filtering profile: move 'hacking' category to alert since not malicious
- remove sinkhole address block policy and associated address object
- remove http partial response so now allowed
- remove XFF global configuration; now profile or policy specific
- remove 'no decrypt' decryption policy that checks for expired/invalid certs; too strict
- update WF malicious reports using 'neq benign' instead of equal to malicious categories
- remove telemetry configuration; new opt-in cert-based model in 10.0
- add email profile protocol 'SMTP' required in configuration; TLS config is optional
- add GlobalProtect log forwarding in log settings
- update validation skillets based on above modifications
- update metadata file for XML snippet skillets w/ option to skip IP address/admin user/DNS configuration elements
- add helper commands for scripting-mode on for CLI copy-paste model
- converted customer URL-filtering profile lingo from White-List/Black-List to Allow/Block
- fixed Panorama set commands: include type "URL-List"
- fix internal spyware XML snippets with medium severity as default
Template content updates are high level. Details can be found in the template guides.
Released September 16, 2020
- URL filtering profile: move 'hacking' category to alert since not malicious
- remove sinkhole address block policy and associated address object
- remove http partial response so now allowed
- remove 'no decrypt' decryption policy that checks for expired/invalid certs; too strict
- update WF malicious reports using 'neq benign' instead of equal to malicious categories
- update validation skillets based on above modifications
- update metadata file for XML snippet skillets w/ option to skip IP address/admin user/DNS configuration elements
- converted customer URL-filtering profile lingo from White-List/Black-List to Allow/Block
Released April 28, 2020
- Update WF file size limits to match the BPA
- validation updates including grayware check and WF file size limits
- metadata file updates: variable clean up with toggle_hint and help_text
- Panorama not shared skillet file reference error
Released January 22, 2020
- first release based on v9.0
- no release specific additions
Template content updates are high level. Details can be found in the template guides.
Released September 16, 2020
- URL filtering profile: move 'hacking' category to alert since not malicious
- remove sinkhole address block policy and associated address object
- remove http partial response so now allowed
- remove 'no decrypt' decryption policy that checks for expired/invalid certs; too strict
- update WF malicious reports using 'neq benign' instead of equal to malicious categories
- update validation skillets based on above modifications
- update metadata file for XML snippet skillets w/ option to skip IP address/admin user/DNS configuration elements
- converted customer URL-filtering profile lingo from White-List/Black-List to Allow/Block
Released April 28, 2020
- Update WF file size limits to match the BPA
- validation updates including grayware check and WF file size limits
- metadata file updates: variable clean up with toggle_hint and help_text
- Panorama not shared skillet file reference error
Released January 22, 2020
- added grayware and cryptcurrency url categories
- added missing User tag log settings
- inclusion of validation skillets
Released c September, 2019
- minor updates
Released July 30, 2019
- Added password complexity and admin lockout elements
- Dynamic updates for GlobalProtect
- Opt-out default for the Palo Alto Networks EDL associated security rules
- Removed the IPv4 and IPv6 Bogon EDLs and associated security rules
- Updated the IPv4 sinkhole to use FQDN instead of an IP address
- Clean up for the baseline configuration to remove IPSEC, IKE, QoS defaults
- Clean up for URL Block and Allow category usage in profiles
Released March 15, 2019
- migrated initial template from 8.1
- inclusion of new features per the 9.0 new features documentation
Template content updates are high level. Details can be found in the template guides.
Released July 30, 2019
- Added password complexity and admin lockout elements
- Dynamic updates for GlobalProtect
- Opt-out default for the Palo Alto Networks EDL associated security rules
- Removed the IPv4 and IPv6 Bogon EDLs and associated security rules
- Updated the IPv4 sinkhole to use FQDN instead of an IP address
- Clean up for the baseline configuration to remove IPSEC, IKE, QoS defaults
- Clean up for URL Block and Allow category usage in profiles
Released March 18, 2019
Template Content
- added max lines for log csv output
Released January 8, 2019
Template Content
- updated virus profiles from 'default' to 'reset-both' so explicit blocking
- added set commands template as text file and Excel spreadsheet
- loadable default configurations include full xml and set commands
- update to the template stack snippet including <config> tree elements
- removed GTP logging elements since not supported on all hardware platforms
Released Oct 3, 2018
Template Content
- added a default security profile group based on the Outbound group
Documentation
- fixed errors in the tools installation instructions
Released August 30, 2018
Template Content
- modified device_system type=dhcp configuration elements to fix dhcp-client commit error
Released: August 7, 2018
Template Content
Device settings updates to increase security hardening
- Prevent TCP and UDP buffer overflow and multi-part HTTP download evasions
- Enable high DP load logging
- Prevent App-ID buffer overflow evasion
- set bypass-exceed-queue to 'no'
- Prevent TCP and MPTCP evasions
Include default login banner
Correct url-filtering Alert-All profile to include command-and-control
Set default interzone action to a drop instead of deny
include firewall management interface options for dhcp-client, standard or cloud models
include Panorama options for standard or cloud deployments
using a tag attribute for the template version numbering
Documentation
- moved docs to readthedocs.io
- move to release-specific documentation
Template Archive
- moved to release branch per software release in github
Released: May 10, 2018
- first release on github
- xml snippets and full config
- static pdf documentation
- Added a Bash script the user can run that automatically updates the Submodules folder
- Major tooling revamp with all python scripts being obsoleted by the new SLI tool
- Replaced everything in the tooling directory with a README file on using SLI
- Sli has built in functions that do what the previous python scripts did in a more efficient fashion
- Added a Bash script the user can run that replaces the build_all.py script
- update set command and spreadsheet scripts to only use variables contained in config section
- modify set command expect test script to use start-stop row values
- updated the build_full_config.py with the ability to merge snippets using same xpath
- added build_all.py to create all full configs and spreadsheets
- test_set_commands.py and test_full_config.py to load and test configuration changes
- moved config variables from a python dictionary to a yaml format
- updated existing tools to support the yaml variables file
- added a utility to create the Excel spreadsheet from the set conf file
- removed the creation of default snippets output to loadable configs
- renamed the output from 'my configs' to 'loadable configs' for clarity
- modified variable model to support python 3.5 instead of 3.6 and later
added the build_full_config utility to create a full template from the config snippets
added the build_my_config utility
- provide simple variable substituions using the my_variable inputs
- store output into the my_config folder with unique naming
- fixed tools issue so will load the panw edl based security rules
Documentation revisions outside of template-tooling updates. These are documented by date, not verison.
- update viz guide with 10.0 mods and UI
- update template text where required based on 10.0 mods
- update WF file size limit image in visual guide
- create sidebar menu sections
- add content for skillet players
- addition of visual guide for panos
- validation skillet section added
- add 9.1 related content links
- Move docs to their own doc branch and merge as a single doc set
- Add in associated template changes and new xml links (mgt user config and password complexity)
- Add a release variance doc to show deltas for new releases
- Addition of requirements and caveats to use IronSkillet
- Pointers to PanHandler and SkilletCLI as new tools to load configurations
- added instructions to remove security profiles for reduced capacity VM-50
- updated with inclusion of max csv lines for log output
- simplified repo main README for non-python users
- added documentation for the SET command spreadsheet
- added next-level directory README files for added context
- general edits for using tools based on tools changes
- added description for Panorama template variations in Panorama template docs
- added instructions for editing the full configuration template variables in the GUI
- added instructions for editing the full configuration template variables using the console
- fixed errors in the tools installation instructions
- moved docs to readthedocs.io
- move to release-specific documentation
- first release on github
- static pdf documentation