Web Security Management

Consolidated Security policy management
- Define URL and application access Security policies for users and security protections, all from a single location. Your threat protection settings are applied globally to all web traffic, which eliminates the need to configure them on a per-Security policy basis. You can also turn on SSL Decryption easily from a central location.
Built-in best practices
- Secure web traffic in just a couple of clicks. The ready-to-use default Security policy configurations adhere to Palo Alto Networks’ best practice recommendations. Simply
Enable
Web Security and
Push Config
to secure web traffic right away. You can use the default security rules as-is or customize your own.
Separation of roles and responsibilities
- As a Web Security Admin, you can manage web-bound traffic from
Web Security
, while other traffic is enforced according to the Security policies set in
Configuration
. All
Prisma Access
configurations can be handled on a single console with clear separation.
Web Security Admins
- Can manage settings relevant to their role, but other settings are hidden from view.
Account Admin, App Admin, or Instance Admin
- Can also view Web Security settings.

Web Security policy Migration

If you had Web Security policies prior to upgrading your environment, you'll find them in a new editable Snippet called “web-sec-migration”. If you had targeted rules specific for GlobalProtect, Explicit Proxy, or Remote Networks, your find them in a separate snippet that's attached to the relevant scope.

So you don't encounter any functional changes to your configuration, snippets have already associated with their correct level, but you'll need to perform a full ("All Admin" scope) before your commits can function.

Rule Order for Web Security and Security Policy

Web Access security rules your create in folder are inherited by child folders, as are any other rules in your configuration. When GlobalProtect, Explicit Proxy, or Remote Networks are heirs of Web Security policy, Web Security rules go to the top of the rulebase. Security policies from higher-level parent folders get priority over Web Access Security policies in lower-level child folders. Default security policies are always placed at the bottom and below any Web Security rules in a child folder.

Here's the order of rule enforcement:

Global - Web Access Security policies Global - Security policies

Prisma Access - Web Access Security policies Prisma Access - Security policies (pre-rules)

Remote Networks - Web Access Security policies Remote Networks - Security policies

Prisma Access - Security policies (post-rules)

Global - Security policies (post-rules)

Get a Behind-the-Scenes Look at your Custom Security policies

Your custom security rules go through a transformation after your build them so that

Prisma Access

can enforce them properly. The

Detail Usage

tab gives you an advanced view of your custom security rules, so you can pinpoint in your logs the work your Web Security rules are doing.

To see the details for any of your rules, select

Manage

Configuration

NGFW and

Prisma Access

Security Services

Web Security

Web Access Security policy

, select a rule you want to see details for from the

Security policies

tab, and then select the

Detail Usage

tab.

You may notice that a single security rule is separated into multiple rules in this view. This is because the rule's intent may require more than one rule to accomplish.