Plan Security Policy Best Practices

You can’t defend against threats that you can’t see. Decrypt all the traffic you can, in accordance with legal compliance, local regulations, privacy regulations, and business considerations to gain visibility into traffic so you can inspect it and prevent threats. For SSL Forward Proxy (outbound) decryption, implement User-ID and URL Filtering first so you can target decryption effectively. Some traffic can’t be decrypted due to technical reasons such as pinned certificates, client authentication, and embedded certificates in IoT devices.
If you don’t decrypt traffic, the firewall can’t granularly identify applications. For example, the firewall can see that the container application is facebook, but can’t see the functional application, so you don’t know and can’t control if the user is uploading, downloading, posting, etc. on Facebook. The firewall also can’t see and inspect the payload, so you don’t have the visibility to defend against malicious content. To get the most from your other subscriptions and to achieve the best protection, you must decrypt traffic to gain visibility into that traffic.
Decryption doesn’t require a license, but for decrypting outbound traffic, add an Advanced URL Filtering license so that you can take a granular approach to decryption and easily choose which types of traffic to decrypt and not to decrypt. URL Filtering enables you to exclude categories that you shouldn’t decrypt for legal, personal information, regulatory, or other reasons. URL Filtering also enables you to block user access to malicious websites.
In addition, decrypt inbound traffic to protect critical servers and decrypt SSH Proxy traffic to prevent malicious management traffic.
Follow decryption best practices to prepare for, roll out, and maintain decryption.
View the planning and deployment processes through a lens of least privilege access and Zero Trust Network Access.
Understand who needs to use which applications to access which data and which infrastructure. This enables you to construct Security policy rules that allow only the people who need access for business purposes access to only the necessary data and infrastructure while blocking all other access.
Use the attributes available in Security policy to define least privilege access: users, devices, applications, source and destination, service, and URL (for outbound traffic, with decryption enabled so that the firewall has visibility into each functional application, not just the container application).
Get the appropriate subscriptions for your business to achieve the best threat prevention and security posture.
Advanced URL Filtering—Cloud-delivered service that enables safe website access, protects users from dangerous sites, and helps prevent credential phishing attacks.
Advanced Threat Prevention or active legacy threat protection—Cloud-delivered Advanced Threat Prevention uses inline deep learning and machine learning models for real-time enforcement of evasive and day-one command-and-control (C2) threats, and includes all features of standard Threat Prevention. Standard Threat Prevention protects against C2, malware, and vulnerability exploits.
Air-gapped environments cannot use Advanced Threat Prevention because it’s a cloud service and requires a cloud connection.
Follow best practices for Threats Content Updates to ensure that you have the latest protections.
DNS Security—(Must purchase an Advanced Threat Prevention or have an active legacy Threat Prevention license and a DNS Security license to activate) Cloud-delivered service that identifies and blocks threats in DNS traffic and prevents connecting to malicious DNS sites and is constantly updated to prevent new types of DNS-based attacks.
Enterprise Data Loss Prevention (DLP)—Cloud-delivered service that protects data across all enterprise networks, clouds, and users, and enables compliance with data safety regulations.
Cortex Data Lake
—Cloud-based log storage that scales with your log volume and ingests logs from next-generation firewalls, Panorama,
Prisma Access
, and Cortex XDR. Most Cortex applications use
Cortex Data Lake
to access, analyze, and report on your logged network data.
WildFire—Cloud-based or private analysis environment that identifies both known and unknown (new) malware and generates signatures the firewall uses to identify and block malicious traffic.
SaaS Security—Cloud-delivered service that secures your sanctioned SaaS applications with licenses that can be standalone or bundled:
The Data Security license includes SaaS Security API and Enterprise DLP.
The SaaS Security Inline add-on license works with
Cortex Data Lake
to discover and control all the SaaS applications on your network, including Shadow IT applications, and enables SaaS Policy Recommendation to the firewall administrator.
Enterprise DLP to protect against data loss in SaaS applications.
IoT Security—Discovers and secures IoT devices on your network and enables automatic IoT Policy Rule Recommendations to the firewall administrator. Follow IoT Security best practices for planning, deployment, and monitoring.
GlobalProtect—Provides capabilities beyond the free VPN features, including the GlobalProtect mobile app, HIP checks, clientless VPN, and more.
Review your network segmentation plan.
For
Panorama Managed Prisma Access
, there are effectively only two zones, trust and untrust, and you map all Panorama zones to the
Prisma Access
trust or
Prisma Access
untrust zone.
On Panorama and firewalls, if a zone isn’t granular enough and includes devices, users, and applications that require different security treatment, consider rearchitecting your zones to segment the network in a more granular way. Place users, applications, and devices that require similar treatment in the same zone. Small zones are easier to defend than large zones.
In some cloud environments, the architecture might limit the number of zones you can configure.
Follow DoS and Zone Protection Best Practices to prevent flood attacks and safeguard the devices in each zone and your firewall buffers.
For
Cloud Managed Prisma Access
, base microsegmentation on identity.
Define which applications you need to allow for business purposes (sanctioned applications) and which applications to allow for other purposes (tolerated applications).
Use App-ID in Security policy (no subscription required) to identify both container applications and their functional applications (e.g., not just “facebook” but “facebook-post”, “facebook-download”, etc.). If you use SaaS Security, use the App-ID Cloud Engine (ACE) to identify cloud applications (requires SaaS Security subscription).
The firewall allows applications you specify in Security policy rules whose
Action
is
Allow
and blocks applications specified in rules whose
Action
denies, drops, or resets traffic, based on the rule’s criteria. Traffic must meet all of a rule’s criteria to match the rule. If an application matches no rule, the two default rules at the bottom of the Security policy rulebase control the traffic. Interzonal (source and destination are in different zones) traffic is denied by default. Intrazonal (source and destination are in the same zone) traffic is allowed by default.
Communicate access policy so employees understand why they may not be able to access certain applications.
Identify all users. Control who has access to which applications and devices in Security policy to ensure that consistent policy follows each user everywhere in the network.
User-ID (no subscription required) combines user information from multiple sources to identify all users on your network. To help ensure that user identification is consistent and to scale across your network, use the Cloud Identity Engine (CIE) (no subscription required) as an aggregated single source for User-ID. CIE gathers and synchronizes user data from sources across your network. All firewalls pull exactly the same user information from CIE, whether they’re on a campus or in the cloud. CIE also provides authentication in conjunction with most major identity providers (IdPs) such as Okta, Azure AD, PingID, etc.
In PAN-OS 10.2 and earlier, CIE provides Directory Synchronization (DSS) and Cloud Authentication (CAS) services. Starting with PAN-OS 11.0, you can also use CIE as redistribution points.
When configuring user groups, think about who needs to access the same resources in the same way for the same business purposes and follow best practices for user group mapping and best practices for dynamic user groups (DUGs).
Use GlobalProtect VPN in Always On mode for highest security and reliable user identification if possible. Use GlobalProtect for remote access and with internal gateways to gather User-ID information no matter where your users are located.
Plan to attach the appropriate Security profiles or Security profile group to every Security policy rule that allows traffic. (If a rule blocks traffic, the firewall doesn’t inspect the blocked traffic.)
Security profile groups are groups of profiles tuned for a particular purpose that you apply to Security policy rules instead of applying each profile individually. This saves time and helps prevent accidental misconfiguration.
Plan how to store logs (in
Cortex Data Lake
, on Log Collectors, etc.) and which administrators to notify for different types and severities of log events. Plan for enough log storage capacity to enable investigation into events after they occur.
Use a single management pane such as Panorama or
Cloud Managed Prisma Access
to manage your deployment for easier, more consistent security.
Follow Administrative Access Best Practices to ensure least privilege access for Panorama and firewall administrators.
Day 1 Configurations, which are available on the Customer Support Portal (
Tools
Run Day 1 Configuration
) and require support login, are templates that provide a use-case agnostic configuration model to start your path to least privilege access. Day 1 Configurations help you implement basic network security best practices right away, including for critical elements such as Dynamic Updates, Security profiles, logging, and more.