Configure Zone-based Policy Rules

Table of Contents

Configure Zone-based Policy Rules

Reduce the attack surface by using Cloud NGFW to segment the network into functional and organizational zones.

Where Can I Use This?	What Do I Need?
Cloud NGFW for AWS	Cloud NGFW subscription Palo Alto Networks Customer Support Account (CSP) AWS Marketplace account User role (either tenant or administrator)

Segmenting the network into functional and organizational zones reduces its attack surface—the portion exposed to potential attackers. Security zones protect your network by segmenting it into smaller, more easily managed areas and controlling traffic access to them.

In self-managed Palo Alto Networks firewalls (such as VM-Series), a security zone comprises one or more physical or virtual firewall interfaces and the network segments connected to the zone’s interfaces. You first define zones and then associate the physical and virtual interfaces to those zones. Finally, you use these zones in the security policy rules that you author.

However, Cloud NGFW automatically sets up the networking constructs for you. You no longer need to worry about configuring interfaces and associating them with the zones you create. You can author zone-based policy rules in Panorama and enforce them on Cloud NGFW.

Cloud NGFW Zones

Cloud NGFW allows you to classify your VPC traffic using Private and Public zones to simplify policy enforcement.

The Private zone includes your hybrid cloud network defined by private traffic range prefixes. This network encompasses your VPCs on AWS and your on-premises network (connected via Direct Connect or VPN).
The Public zone comprises all prefixes outside your hybrid cloud network (the public internet).

Control this classification by appropriately specifying the private traffic range prefixes for the endpoint on which the traffic enters the Cloud NGFW resource.

Source and Destination Zones

Cloud NGFW automatically assigns the Source Zone as Private if the traffic session has a source IP address within the private traffic range prefixes defined for the endpoint on which the traffic enters the Cloud NGFW resource. Otherwise, Cloud NGFW assigns the source zone as Public.

Similarly, Cloud NGFW automatically assigns the Destination Zone as Private if the traffic session has a destination IP address within the private traffic range prefixes defined for the endpoint on which the traffic enters the Cloud NGFW resource. Otherwise, Cloud NGFW assigns the destination zone as Public.

For example, Cloud NGFW assigns the source(Ingress) zone as Private and the destination zone as Public for a session with a source IP address as 10.2.3.4 and destination IP address as 23.44.55.66.

The illustration below shows the source and destination zones on traffic via an endpoint with Egress NAT disabled:

The illustration below shows the source and destination zones on traffic via an endpoint with Egress NAT enabled:

Zone Protection

Effective defense against DoS attacks requires a layered approach. The first layer of defense should be a dedicated, high-volume DDoS protection service such as AWS Shield to defend against volumetric attacks that the session-based firewalls are not designed to handle. However, Cloud NGFW uses the Zone Protection profile to add more granular layers of DoS attack defense and provide visibility into application traffic that dedicated DDoS services don't provide.

After traffic passes through the dedicated DDoS service (such as AWS Shield) and enters your VPC, Cloud NGFW applies the Zone Protection profile if one is attached to the Ingress (source) zone. Cloud NGFW determines the Ingress (source) zone from the Source IP address of the packet. Zone Protection profiles provide a broad defense against DoS attacks based on the aggregate traffic entering the zone. If the Zone Protection profile denies the packet, Cloud NGFW discards the packet and skips the Security policy lookup. Cloud NGFW applies Zone Protection profiles only to new sessions (packets that don't match an existing session). Once the session is established, the Cloud NGFW packet processing engine bypasses the Zone Protection profile lookup for succeeding packets in that session.

You can attach a Zone Protection profile to the private and public zones using the Panorama Cloud device group template. A Zone Protection profile protects the Ingress (or source) zone against the most common flood, reconnaissance, and packet-based attacks.

Flood protection. A Zone Protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks.
Reconnaissance Protection. Similar to the military definition of reconnaissance, the network security definition of reconnaissance is when attackers attempt to gain information about your network’s vulnerabilities by secretly probing the network to find weaknesses. Reconnaissance activities are often preludes to a network attack. Enable Reconnaissance Protection on both Private and Public zones to defend against port scans and host sweep.
Packet-based Attack Protection. Packet-based attacks take many forms. Zone Protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet headers and protect a zone by dropping packets with undesirable characteristics or stripping undesirable options from packets before admitting them to the zone.

Cloud NGFW Zone Mapping

Zones are associated with interfaces on self-managed firewalls such as VM-Series. However, within Cloud NGFW, the networking infrastructure is automatically set up for you. This means that you no longer need to worry about configuring interfaces and associating them with the zones you create (and, in Panorama Cloud NGFW template stacks and templates, the web interface to configure interfaces is removed from Panorama—any unnecessary Panorama web interface elements are removed in Panorama Managed Cloud Device Groups).

However, to enable consistent Security policy enforcement, you must create zone mappings in your cloud device groups so that Cloud NGFW will know whether to associate the security zones you have in your Panorama with Cloud NGFWs Private (internal) or Public (external) zone. These mappings enable Cloud NGFW to enforce your Security policy rules properly.

In some cases zone mapping may fail if you are not running the latest version of the AWS plugin (version 5.3.0). Palo Alto Networks recommends that you do not enable zone-based policies for existing firewalls that have not been upgraded to the new Egress NAT AMI using AWS plugin version 5.3.0 or above.

Configure Zone Mapping in Panorama Cloud Device Groups

The following minimum system requirements are needed for zone-based policy rules:

AWS plugin version 5.4.2 or above
PAN-OS version 10.2.8 or above
Cloud Connector plugin version 3.0.0 or above

To configure zone mapping using the Panorama console:

Add a cloud device group using the Panorama console.
Panorama > Templates, and select your Template Stack

The AWS plugin associates the template stack with your cloud device group. The AWS plugin creates a default template and adds the Public and Private zones to this template by default.

In the Templates section, you can see the default template created by the AWS plugin that will have the same name as your template stack with a suffix __dt appended to its name.
You can also reference your other Panorama templates to the template stack list, click Add, and then select the template.
Create a Zone Protection profile and associate it to your default Private and Public zones of your default template. To create the Zone Protection profile:
1. In the Panorama console, go to Network > Zone Protection.
2. Click Add.
3. Enter a Name and Description to your Zone Protection profile.
4. Select the Zone Protection services.
5. Click OK.
After creating the Zone Protection profiles, perform the following steps to associate your Private and Public zones of your default template:
In the Panorama console, select the Networks tab.
Select your Template.
Go to Zones.
Click Private and select the Zone Protection Profile for your Private Zone.
Click Public and select the Zone Protection Profile for your Public zone.
Navigate back to your cloud device group. Go to the Zone Mapping tab.

You can see the list of Panorama templates that you have referenced to the template stack list. You can map the Panorama zones to the default Private and Public zones that are created by the AWS plugin.
Configure security policy rules for cloud device groups in Panorama. You can then use the above mapped Panorama security zones, default Private or Public zones in your security policies as source or destination zones. For more information, see the Apply Policy section.

Private-to-Public, Public-to-Private, Private-to-Private, any-to-any, Private-to-Any are the allowed zone-based policy rules in the Panorama Cloud device groups. Any other combination of Source and destination security zones isn't supported in your security rules.
Commit and Push your changes on Panorama.
Log in to your Cloud NGFW console to verify your XML file containing Private and Public zone mapping pushed from Panorama to the respective cloud device group.
Go to Rulestacks, select your cloud device group, and click View XML to display information on newly added Private and Public zones from Panorama to the cloud device group.

Using the steps given in the above procedure, you can also configure zone-based policy rules for your existing cloud device groups adding the existing templates from the template stack, and then configure security policy rules for those cloud device groups in Panorama.