Create Security Rules on Cloud NGFW for Azure
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Create Security Rules on Cloud NGFW for Azure
Create security rules on the Cloud NGFW for Azure.
Security rules protect network
assets from threats and disruptions and help to optimally allocate
network resources for enhancing productivity and efficiency in business
processes. On Cloud NGFW for Azure, individual security rules determine
whether to block or allow a session based on traffic attributes,
such as the source and destination IP address, source and destination
FQDNs, or the application.
All traffic passing through the
firewall is matched against a session and each session is matched
against a rule. When a session match occurs, the NGFW applies the
matching rule to bidirectional traffic in that session (client to
server and server to client). For traffic that doesn’t match any
defined rules, the default rules apply.
Security policy rules
are evaluated left to right and from top to bottom. A packet is
matched against the first rule that meets the defined criteria and,
after a match is triggered, subsequent rules are not evaluated.
Therefore, the more specific rules must precede more generic ones
in order to enforce the best match criteria.
After creating
a rulestack, you can now create rules and add them to your rulestack.
- Click the Local Rulestacks icon from the homepage and select a previously-created rulestack on which you wish to add Rules.Click Rules and then click Add.In the general section, enter a descriptive Name for your rule.(Optional) Enter a Description of your rule.Set the Rule Priority.The rule priority determines the order in which the rules are evaluated. Rules with a lower priority are evaluated first. Additionally, each rule within a rulestack.By default, the security rule is Enabled. Uncheck Enabled to disable the rule. You can enable or disable a rule at any time.Set the Source.
- Select Any, Match, or Exclude.Selecting Any means the traffic is evaluated against the rule regardless of source.If you select Match, specify the IP Address (CIDR), Prefix List, Countries, Intelligent Feeds, or Dynamic Prefix List.Set the Destination.
- Select Any, Match, or Exclude.Selecting Any means the traffic is evaluated against the rule regardless of destination.If you select Match, specify the Prefix List, FQDN List, Countries.Set Granular Control.
- Choose Any or Select.When choosing Any, traffic is evaluated regardless of the application. By specifying an application(s), traffic is evaluated against the rule if the traffic matches the specified application.If you choose Select, specify the applications.Set URL Category Granular Control.
- Choose Any or Select.When choosing Any, traffic is evaluated regardless of the URL.If you choose Select, Choose one of the Predefined Categories from the drop-down.Set Port & Protocol Granular Control.
- Choose application-default, any, or Select.When choosing any, traffic is evaluated regardless of the port and protocol. By specifying a port and protocol, traffic is evaluated against the rule if the traffic matches the specified port and protocol.If you choose Select, select the protocol from the drop-down and enter the port number. You can specify a single port number.Set Actions.
- Set the Action the firewall takes when traffic matches the rule—Allow, Deny, Drop, or Reset both client and server.Enable Egress Decryption.Enable Logging.Click Add.After creating rules for your rulestack, validate or deploy your configuration.