Plan best practices Security policy in PAN-OS and Prisma Access.
Before you create best practice Security policy
rules, make sure you understand best practices for planning a secure
network, especially Zero Trust Network Access (ZTNA)
principles. Security policy defines the traffic you allow and block.
However, it takes a comprehensive set of tools and services to completely
protect your network, including tools that provide:
Visibility, such as decryption, App-ID, User-ID, and Device-ID.
Advanced Threat Prevention, such as vulnerability protection, antivirus, anti-spyware, file
blocking, sandboxing, Data Loss Prevention (DLP), DNS Security, and more.
IoT security to control unmanaged devices and SaaS security
to control SaaS applications (next-generation CASB).
that you have the appropriate toolset to safeguard your network
and to use in and with Security policy.
You can’t defend against threats that you can’t see. Decrypt all the traffic you can, in accordance with legal compliance,
local regulations, privacy regulations, and business considerations to gain visibility into
traffic so you can inspect it and prevent threats. For SSL Forward Proxy (outbound) decryption, implement
User-ID and URL Filtering first so you can target decryption effectively. Some traffic can’t be
decrypted due to technical reasons such as pinned certificates, client authentication, and
embedded certificates in IoT devices.
If you don’t decrypt traffic, the firewall can’t granularly identify applications. For
example, the firewall can see that the container application is facebook, but can’t see the
functional application, so you don’t know and can’t control if the user is uploading,
downloading, posting, etc. on Facebook. The firewall also can’t see and inspect the payload,
so you don’t have the visibility to defend against malicious content. To get the most from
your other subscriptions and to achieve the best protection, you must decrypt traffic to gain
visibility into that traffic.
Decryption doesn’t require a license, but for decrypting outbound traffic, add an Advanced
URL Filtering license so that you can take a granular approach to decryption and easily choose
which types of traffic to decrypt and not to decrypt. URL Filtering enables you to exclude
categories that you shouldn’t decrypt for legal, personal information, regulatory, or other
reasons. URL Filtering also enables you to block user access to malicious websites.
In addition, decrypt inbound traffic to protect critical servers and decrypt SSH Proxy
traffic to prevent malicious management traffic.
View the planning and deployment processes through a
lens of least privilege access and Zero Trust Network Access.
Understand who needs to use which applications to access
which data and which infrastructure. This enables you to construct
Security policy rules that allow only the people who need access
for business purposes access to only the necessary data and infrastructure
while blocking all other access.
Use the attributes available in Security policy to define least privilege access: users, devices,
applications, source and destination, service, and URL (for outbound traffic, with decryption
enabled so that the firewall has visibility into each functional application, not just the
Get the appropriate subscriptions for your
business to achieve the best threat prevention and security posture.
Advanced URL Filtering—Cloud-delivered
service that enables safe website access, protects users from dangerous
sites, and helps prevent credential phishing attacks.
Advanced Threat Prevention or active legacy threat
protection—Cloud-delivered Advanced Threat Prevention uses inline deep learning and machine
learning models for real-time enforcement of evasive and day-one command-and-control (C2)
threats, and includes all features of standard Threat Prevention. Standard Threat Prevention
protects against C2, malware, and vulnerability exploits.
environments cannot use Advanced Threat Prevention because it’s
a cloud service and requires a cloud connection.
DNS Security—(Must purchase an Advanced Threat
Prevention or have an active legacy Threat Prevention license and a DNS Security license to
activate) Cloud-delivered service that identifies and blocks threats in DNS traffic and
prevents connecting to malicious DNS sites and is constantly updated to prevent new types of
Cortex Data Lake (CDL)—Cloud-based
log storage that scales with your log volume and ingests logs from
next-generation firewalls, Panorama, Prisma Access, and Cortex XDR.
Most Cortex applications use CDL to access, analyze, and report
on your logged network data.
private analysis environment that identifies both known and unknown
(new) malware and generates signatures the firewall uses to identify
and block malicious traffic.
service that secures your sanctioned SaaS applications with licenses
that can be standalone or bundled:
For Panorama Managed Prisma Access, there are effectively only two zones, trust and untrust, and
you map all Panorama zones to the Prisma trust or Prisma
On Panorama and firewalls,
if a zone isn’t granular enough and includes devices, users, and
applications that require different security treatment, consider
rearchitecting your zones to segment the network in a more granular
way. Place users, applications, and devices that require similar
treatment in the same zone. Small zones are easier to defend than
In some cloud environments, the architecture might limit the number of zones you can
Define which applications you need to allow for business
purposes (sanctioned applications) and which applications to allow
for other purposes (tolerated applications).
Use App-ID in Security policy
(no subscription required) to identify both container applications
and their functional applications (e.g., not just “facebook” but
“facebook-post”, “facebook-download”, etc.). If you use SaaS Security,
use the App-ID Cloud Engine (ACE) to
identify cloud applications (requires SaaS Security subscription).
firewall allows applications you specify in Security policy rules
blocks applications specified in rules whose
drops, or resets traffic, based on the rule’s criteria. Traffic
must meet all of a rule’s criteria to match the rule. If an application
matches no rule, the two default rules at the bottom of the Security
policy rulebase control the traffic. Interzonal (source and destination
are in different zones) traffic is denied by default. Intrazonal
(source and destination are in the same zone) traffic is allowed
Communicate access policy so employees understand
why they may not be able to access certain applications.
Identify all users. Control who has access to which applications
and devices in Security policy to ensure that consistent policy
follows each user everywhere in the network.
User-ID (no subscription
required) combines user information from multiple sources to identify
all users on your network. To help ensure that user identification
is consistent and to scale across your network, use the Cloud Identity Engine (CIE) (no
subscription required) as an aggregated single source for User-ID.
CIE gathers and synchronizes user data from sources across your
network. All firewalls pull exactly the same user information from
CIE, whether they’re on a campus or in the cloud. CIE also provides
authentication in conjunction with most major identity providers
(IdPs) such as Okta, Azure AD, PingID, etc.
10.2 and earlier, CIE provides Directory Synchronization (DSS) and
Cloud Authentication (CAS) services. Starting with PAN-OS 11.0,
you can also use CIE as redistribution points.
Use GlobalProtect VPN in Always
On mode for highest security and reliable user identification if
possible. Use GlobalProtect for remote access and with internal
gateways to gather User-ID information no matter where your users
Security profile groups are groups of profiles tuned for
a particular purpose that you apply to Security policy rules instead
of applying each profile individually. This saves time and helps
prevent accidental misconfiguration.
Plan how to store logs (in CDL, on Log Collectors, etc.)
and which administrators to notify for different types and severities
of log events. Plan for enough log storage capacity to enable investigation
into events after they occur.
) and require support login, are templates that provide a use-case agnostic
configuration model to start your path to least privilege access. Day 1 Configurations help you
implement basic network security best practices right away, including for critical elements
such as Dynamic Updates, Security profiles, logging, and more.