Network Security: Security Policy
  • Network Security: Security Policy
  • Network Security Documentation
  • All Documentation
>
Migrating Web Security Policy Rules to Internet Access Rules
Focus
Download PDF
Focus
  1. Home
  2. Network Security
  3. Network Security: Security Policy
  4. Internet Access Rule
  5. Migrating Web Security Policy Rules to Internet Access Rules
Download PDF
Network Security

Migrating Web Security Policy Rules to Internet Access Rules

Table of Contents

Migrating Web Security Policy Rules to Internet Access Rules

This section outlines the changes to Web Security policy rules in the latest Strata Cloud Manager February 2025 Release and provides various troubleshooting scenarios.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
Check for any license or role requirements for the products you're using.
  • Prisma Access license or AIOps for NGFW license
The Strata Cloud Manager February 2025 release changes how we handle Web Security in your environment. We addressed the rigidity of current Web Access policy rules based on user feedback. Users reported challenges with rule ordering and cross-referencing of objects and profiles, which caused operational inefficiencies from unusable rulebases or object duplication.
We moved to a single rulebase to enhance flexibility and user control. This change streamlines policy management and improves operational efficiency.
The Internet Access rule replaces the existing Web Access policy rules with improved capabilities. The Internet access rule is a new policy type within the security rulebase in Strata Cloud Manager that optimizes the management of internet access use cases.

Troubleshooting Scenarios for Environments Without Web Security Enabled at Any Node

CaseIssueHow to Mitigate
Unintended Country Block Policy Rules (for Prisma Access only)
If you have any Country Block configuration in the Source or Destination region block under Security Services > Web Security > Security Settings > Threat Management, it will generate a source-region and destination-region block policies respectively.
  • Review and remove any existing Country Block configurations in the Source and Destination region blocks.
  • Push or commit the changes.
Web Security Default Snippet Reattachment
During the upgrade, the Web Security default snippet (Internet-Security-Default) is automatically reattached to Global, even if previously removed or detached. This reattachment may fail if the snippet is attached to child nodes. The snippet is required and not having it will cause reference errors, as other snippets may reference profiles and objects within this default snippet.
  • If automatic reattachment failed:
    • Manually attach the Internet-Security-Default snippet to Global.
    • Push the updated configuration.
Web Security and Internet Access Changes
After the upgrade, review the Internet Security settings to ensure correct behavior.
Expected Upgrade Behavior:
  • Decryption under Web Security should be set to No Decrypt
  • The catch-all rule (internet-access-default) should be disabled to maintain consistent behavior
  • In cases where the upgrades have issues and you observe changes above are not implemented, then follow steps below.
  • Adjust Decryption Settings:
    • Navigate to GlobalInternet SecuritySecurity SettingsDecryptionBypass & Logging Settings
    • Verify if the Default Decryption Setting is set to No Decrypt.
    • If not, set the Default Decryption Setting to No Decrypt.
  • Disable Default Internet Access:
    • Go to GlobalSecurity Policy
    • Locate the Global Post Rules section
    • Find the internet-access-default rule
    • If the rule is enabled, disable it.

Troubleshooting Scenarios for Partial Web Security Enablement on Nodes

CaseIssueHow to Mitigate
Resolving Unintended Policy Inheritance in Child Scopes
When policies are created on a parent folder, but one or more child folders/scopes do not have Web Security enabled, all parent policies will be inherited by all child scopes and get enforced, once pushed.
  • If policies are only applicable to a specific child node, move the policies from the parent to the child folder
  • If policies are applicable to more than one child node,
  • Move the policies from the parent to a snippet (you might have to move/create objects referenced by the policy)
    .
  • Attach the snippet to ALL child nodes where you want these policies enforced
  • Move the snippet to its appropriate position in the rulebase of each child node.
  • Push the changes.
Internet Access Default post-rule in Global is enabled
When the Internet Access default post-rule in Global is enabled, it impacts traffic on all child nodes, as it gets enforced as a Global post-rule. If you want different treatment for different child nodes, then mitigation is required.
  • Disable the internet-access-default policy in the Global settings.
  • Create a specific block/deny default policy in the individual nodes where you want the enforcement.

Troubleshooting Scenarios For Hybrid (Prisma Access + NGFW tenant)

CaseIssueHow to Mitigate
Security Zone Mismatch in Internet Access PoliciesThe security zones used by Internet Access policy rules are defaulted to Inbound Zone = any and Outbound zone = internet, push time validations / commits fail if these zones do not exist on the NGFW.
  • Navigate to Security ServicesInternet SecuritySecurity SettingsGeneral
  • Customize the settings to provide an Inbound and Outbound zone for the NGFWs or create a zone specifically named internet for the NGFWs.
Snippet Attachment Issues with Device Scope and Web Security Settings.
When device scope is disabled but Web Security is enabled for specific Next-Generation Firewalls (NGFWs), you may encounter issues with attaching snippets directly to nodes. In particular, the Internet Access best practice snippet, which contains default policies for Internet and Gen AI access, cannot be attached and policies will get removed during the push process for affected devices.
  • Enable device scope for the affected NGFWs.
  • Attach the Internet Access best practice snippet to the relevant nodes.
  • Verify the snippet attachment.
  • Attempt a configuration push
  • Monitor the push process and check for any errors

Troubleshooting Scenarios: Web Security is Enabled and Snippet with Web Security Policy Rules is attached

CaseIssueHow to Mitigate
Web Access Policy Placement After Upgrade
Following an upgrade, web access policies are relocated to the security rulebase of the snippet. These snippets are attached in order within the security rulebase of folders. Consequently, web access policies are positioned just above the security policies of that particular snippet. This differs from the pre-upgrade behavior, where they were placed at the top of the rulebase, above all security rules. This change in ordering can potentially impact your security posture and policy enforcement.
  • Move the snippet in the right/desired position in the rulebase
  • If you need to split out policies into two separate ordering within the rulebase, move the policies to different snippets.
  • Push the configuration changes

Troubleshooting Scenario: Rule Name Collision Between Web Access Policy Rules and Security Rules

CaseIssueHow to Mitigate
Rule Name Conflicts During Web Access and Security Policy Migration
When migrating to a single rulebase, identical rule names in Web Access policies can cause name conflicts. This situation arises because the unified rulebase requires unique identifiers for each rule. The conflict can lead to unexpected behavior, policy application errors, or potential security gaps if not addressed properly.
  • Identify conflicting rule names
  • Rename Web Access policy rules to ensure uniqueness

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.