Cloud NGFW for AWS Security Rule Objects

A security rule object is a single object or collective unit that groups discrete identities such as IP addresses, fully-qualified domain names (FQDN), intelligent feeds, or certificates. Typically, when creating a policy object, you group objects that require similar permissions in policy. For example, if your organization uses a set of server IP addresses for authenticating users, you can group the set of server IP addresses as a prefix list object and reference that prefix list in one or more security rule. Group object allows you to significantly reduce the administrative overhead in creating rules.
  • Prefix
    FQDN Lists
    —prefix and FQDN lists allow you to group specific source or destination IP addresses or FQDNs that require the same policy enforcement. A prefix list can contain one or more IP addresses or IP netmask in CIDR notation. An address object of type IP Netmask requires you to enter the IP address or network using slash notation to indicate the IPv4 network. For example, An FQDN (for example, object provides further ease of use because DNS provides the FQDN resolution to the IP addresses instead of you needing to know the IP addresses and manually updating them every time the FQDN resolves to new IP addresses.
  • Custom URL Category
    —a custom URL category allows you to specify exceptions to a URL category enforcement and to create a custom URL category based on multiple existing categories.
  • Intelligent Feed
    —an intelligent feed, also called an external dynamic list (EDL), is an ongoing stream of data related to potential or current threats to an organization’s security. An intelligent feed records and tracks IP addresses and URLs that are associated with threats such as phishing scams, malware, bots, spyware, ransomware, and more.
    Cloud NGFW includes four built-in intelligent feeds.
    • Palo Alto Networks Bulletproof IP Addresses
      —Contains IP addresses provided by bulletproof hosting providers. Because bulletproof hosting providers place few, if any, restrictions on content, attackers frequently use these services to host and distribute malicious, illegal, and unethical material.
    • Palo Alto Networks High-Risk IP Addresses
      —Contains malicious IP addresses from threat advisories issued by trusted third-party organizations. Palo Alto Networks compiles the list of threat advisories, but does not have direct evidence of the maliciousness of the IP addresses.
    • Palo Alto Networks Known Malicious IP Addresses
      —Contains IP addresses that are verified malicious based on WildFire analysis, Unit 42 research, and data gathered from telemetry. Attackers use these IP addresses almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.
    • Palo Alto Networks Tor Exit IP Addresses
      —Contains IP addresses supplied by multiple providers and validated with Palo Alto Networks threat intelligence data as active Tor exit nodes. Traffic from Tor exit nodes can serve a legitimate purpose, however, is disproportionately associated with malicious activity, especially in enterprise environments.
    You can connect your NGFW with Palo Alto Networks built-in intelligence feeds and third-party intelligent feeds to provide up-to-date information about threats to your network. If the connection requires specifying decryption certificates, you can configure Cloud NGFW to use a Cloud NGFW Certificate object described below.
  • Certificate
    —a certificate object is a reference to a TLS certificate stored in the AWS Secrets Manager in your AWS account.

Recommended For You