Cloud NGFW Native Policy Management
Learn about Cloud NGFW for Azure native policy management.
Where Can I Use This? | What Do I Need? |
|
- Cloud NGFW subscription
- Palo Alto Networks Customer Support Portal account
- Azure Marketplace subscription
|
You can use Cloud NGFW for Azure native policy management:
On Cloud NGFW, you define security policy rules and group those rules together in a
rulestack.
While security policy rules enable you to allow or block traffic on your
network, Security Profiles help you define an
allow but scan rule,
which scans allowed applications for threats, such as malware, spyware, and DDoS
attacks. When traffic matches the
allow rule defined in the Security
policy rule, the Security Profiles attached to the rule are applied for further content
inspection rules such as antivirus checks and data filtering.
Security Profiles are not used in the match criteria of a traffic flow.
The Security Profile is applied to scan traffic after the Security policy rule
allows the application or category.
The firewall provides default Security Profiles that you can use out of the box
to begin protecting your network from threats. See
Set Up a Basic Security Policy for information
on using the default profiles in your Security policy rule.
You can add Security Profiles that are commonly applied together to
Create a Security Profile Group; this set of
profiles are treated as a unit and added to Security policy rules in one step (or
included in Security policy rules by default, if you choose to set up a default Security
Profile Group).
Security profiles provide fundamental
protections by scanning traffic that you allow on the network for threats. Security
Profiles provide a full suite of coordinated threat prevention tools that block
peer-to-peer command and control (C2) application traffic, dangerous file types,
attempts to exploit vulnerabilities, and antivirus signatures, and also identify new and
unknown malware.
It takes relatively little effort to apply Security Profiles because Palo Alto
Networks provides predefined profiles that you can simply add to Security policy allow
rules. Customizing Security Profiles is easy because you can clone a predefined profile
and then edit it. You can also create a Security Profile from scratch on the firewall or
on Panorama.
To detect known and unknown threats in your network traffic, attach Security
Profiles to all Security policy rules that allow traffic on the network, so that the
firewall inspects all allowed traffic. The firewall applies Security Profiles to traffic
that matches the Security policy allow rule, scans traffic in accordance with the
Security Profile settings, and then takes appropriate actions to protect the network.
The recommendations for best practice Security Profiles apply to all four of the data
center traffic flows except as noted.
Download
content updates automatically and install
them as soon as possible so that you have the latest threat prevention signatures
and content (antivirus, antispyware, vulnerabilities, malware, etc.) on the firewall
and block the latest threats.
Security Rule Objects
A security rule object is a single object or collective unit that groups
discrete identities such as IP addresses, FQDN, or certificates. Typically, when
creating a policy object, you group objects that require similar permissions in the
policy. For example, if your organization uses a set of server IP addresses for
authenticating users, you can group the set of server IP addresses as a prefix list
object and reference that prefix list in one or more security rules. Group object
allows you to significantly reduce the administrative overhead in creating
rules.
Prefix and FQDN Lists—prefix and FQDN lists allow you to group
specific source or destination IP addresses or FQDNs that require the same
policy enforcement. A prefix list can contain one or more IP addresses or
Internet Protocol netmask in CIDR notation. An address object of type
Internet Protocol netmask requires you to enter the IP address or network
using slash notation to indicate the IPv4 network. For example,
192.168.18.0/24. An FQDN (for example, paloaltonetworks.com) object provides
further ease of use because DNS provides the FQDN resolution to the IP
addresses instead of you needing to know the IP addresses and manually
updating them every time the FQDN resolves to new IP addresses.
Certificate—a certificate object is a reference to a TLS certificate
stored in the
Azure Key Vault in your Azure
account, and is used in outbound decryption.
PAN-OS version 11.0.x is required when using Azure Key Vault for
outbound decryption.