Step 4: Create the Zero Trust Policy

Zero Trust security policy focuses on creating allow lists because all breaches occur on allow rules. Focus on allowed traffic and allow only what you need.
Zero Trust policy consists of allow rules—rules that allow only authorized users to access specific resources using the specified applications at the right time in the right places. If traffic doesn’t match a rule, the firewall automatically blocks the traffic. This is important because:
  • It’s much easier to know the applications you want to allow to support your business than to take on the never-ending task of identifying and blocking all the applications you don’t want to allow.
  • All breaches and malicious activity happen on allow rules. Focus security on traffic you allow and allow only the traffic required for business.
Zero Trust policy is based on the Kipling Method. Answering Rudyard Kipling’s 6-tuple of questions, “who, what, when, where, why, and how,” shows you how to decide whether to allow or block traffic and how to create security policy that safeguards each protect surface. Palo Alto Networks provides the capabilities to implement the Kipling Method in security policy:
  • Who
    should access a resource?
    • User-ID identifies users and enables you to control who accesses a resource in policy. Through a lens of least-privileged access (who needs to know?), allow access only to individuals, groups, and devices that have legitimate business reasons to access a resource.
    • Create Authentication policy to verify the identities of users when they attempt to access resources. Authentication policy also determines whether to require Multi-Factor Authentication (MFA).
    • Use MFA to protect sensitive services and applications by requiring at least one more authentication factor in addition to entering a password in Authentication Portal, such as a one-time-use code delivered to a cell phone or email, before the firewall allows access to sensitive services, applications, and resources. For remote users, configure GlobalProtect to facilitate MFA notifications (you must also configure MFA on the firewall).
    • For devices that use GlobalProtect, configure Host Information Profiles (HIPs) to define access policy for hosts, enforce policy on those hosts, and prevent devices that don’t meet your security and maintenance standards from accessing resources. For example, you can use a HIP to ensure that endpoints have encryption enabled, the host’s antivirus signatures are up-to-date, etc. If a host doesn’t meet the HIP requirements, the security policy blocks access.
  • What
    application is used to access the resource?
    • Create application-based Layer 7 policy using App-ID, which identifies applications regardless of port, protocol, or evasive tactics so that you allow only the right applications on your network. Policy based on Layer 3 and Layer 4 relies on IP addresses an attacker can spoof and leaves ports open to evasive applications.
    • Set the Service to application-default to safely enable applications on their default ports and prevent evasive applications from accessing your network on non-standard ports.
    • If the firewall runs PAN-OS 9.0 or later or a Panorama appliance running PAN-OS 9.0 or later manages firewalls running PAN-OS 8.1 or later, use Policy Optimizer to examine existing policy rules (both application-based rules and legacy port-based rules), identify unused rules, and identify rules with unused applications. For firewalls that run older versions of PAN-OS, use Expedition to examine policy rules. (If you need to migrate a legacy configuration to a PAN-OS device, follow the Best Practices for Migrating to Application-Based Policy.
  • When
    do users access the resource?
    For applications users access only during certain hours, apply a schedule (
    on Panorama appliances and firewalls) to the policy rule to prevent suspicious access during off-hours. Adversaries often attack and attempt to exfiltrate data outside of normal business hours to reduce the chance of discovery.
  • Where
    is the resource located?
    Add the location of the destination resource to the policy. When appropriate, also restrict the source (zone and IP address) of the traffic.
  • Why
    is the data accessed—what is the data’s value if lost (toxicity)?
    Classify data to understand its toxicity—why is the data worth protecting? Would you have to disclose the loss if an attacker exfiltrated the data? Set up Data Filtering to prevent sensitive information from leaving your network and use data classification tools to provide metadata about the data. Understanding the toxicity of data helps you determine how to protect data, what to do with data after using it, and how to tag it for use in policy.
  • How
    should you allow access to the resource?
    Apply Content-ID and best practices to protect against threats in application traffic:
    • Apply the philosophy of least-privileged access to security policy. Allow only users with legitimate business reasons to access only the applications they need to access for business purposes at only the proper times and only in the proper way.
    • Log all internal and external traffic through Layer 7. The firewall policy rules enable logging by default. Forward logs to the Cortex Data Lake (or to Panorama or to Log Collectors) to consolidate logs for easier and more thorough analysis.
    • Apply policy and threat prevention consistently across all locations (network, cloud, endpoints), for all local and remote users so the policy follows the user wherever the user goes, for all applications, and for all resources. Inconsistent policy increases vulnerabilities, is difficult to understand and maintain, and may negatively affect compliance requirements and audits. Use physical next-generation firewalls and virtual VM-Series firewalls as segmentation gateways to apply consistent Zero Trust, Layer 7, Kipling Method policy in the network and the cloud. Use Prisma Access (cloud) and GlobalProtect (on-premise installation and with Prisma Access) to extend consistent Zero Trust policy to endpoints. For unmanaged endpoints (endpoints on which you don’t want to or can’t place an agent), use GlobalProtect Clientless VPN to apply consistent policy. Create and reuse Panorama templates and stacks to apply consistent policy across similar locations, such as your data centers or your perimeters.
    • Configure security profiles (Vulnerability Protection profiles for IPS, Antivirus and WildFire profiles to protect against malware including day-one malware, Anti-Spyware profiles to prevent command-and-control threats, File Blocking profiles to block or alert on risky file types, and URL Filtering to control website access, help prevent phishing attacks, and enforce safe search for search engines) and apply them to all allowed traffic. Follow best practices for data center firewall and perimeter firewall security profiles.
    • Use WildFire best practices to detect and prevent zero-day malware.
    • Use decryption best practices to decrypt as much traffic as regulations and business requirements enable you to decrypt so you can inspect as much traffic as possible. You can’t protect your network against threats you can’t see.
    • Use the DNS Security service to provide infinitely scalable real-time access to DNS signatures, real-time analysis of DNS requests, and advanced DNS signatures generated using machine learning and predictive analysis.
    • How also includes determining what to do with sensitive data after you use it—abstract it using encryption, tokenization, or masking, or dispose of it by archiving or deleting it. Archive stale data (approximately 80% of data on most systems hasn’t been accessed for two or more years).
    • Use Cortex XDR to refine and improve policy.
The Kipling Method enables you to create security policy that defends each protect surface appropriately because it leads you to understand who should have access, how they should access it, when they should access it, and the protections to apply. You develop policy rules by developing business statements based on the Kipling Method. For example:
Time limits
System object
Toxic (data has high value)
Decrypt, inspect (security profiles), log traffic
Working hours
Toxic (data has high value)
Decrypt, inspect (security profiles), log traffic
In both cases, the firewall allows only traffic that satisfies all of the conditions in the Kipling tuple and passes inspection. The firewall automatically denies all traffic that doesn’t match an allow rule.
In addition to security, authentication, and decryption policy, use DoS and Zone protection best practices to protect vital servers from denial-of-service (DoS) attacks.
For firewalls that you haven’t configured yet, use IronSkillet Day 1 configuration templates to implement a Day 1 best practice policy, then tune the policy to best suit your protect surfaces.

Recommended For You