Set Up a Basic Security Policy (PAN-OS)

1. (Optional) Delete the default Security policy rule.

   By default, the NGFW includes a Security policy rule named rule1 that allows all traffic from Trust zone to Untrust zone. You can either delete the rule or modify the rule to reflect your zone-naming conventions.
2. Allow access to your network infrastructure resources.

   1. Select PoliciesSecurity and click Add.
   2. In the General tab, enter a descriptive Name for the rule.
   3. In the Source tab, set the Source Zone to Users.
   4. In the Destination tab, set the Destination Zone to IT Infrastructure.

      As a best practice, use address objects in the Destination Address field to enable access to specific servers or groups of servers only, particularly for services such as DNS and SMTP that are commonly exploited. By restricting users to specific destination server addresses, you can prevent data exfiltration and command and control traffic from establishing communication through techniques such as DNS tunneling.
   5. In the Applications tab, Add the applications that correspond to the network services you want to safely enable. For example, select dns, ntp, ocsp, ping, and smtp.
   6. In the Service/URL Category tab, keep the Service set to application-default.
   7. In the Actions tab, set the Action Setting to Allow.
   8. Set Profile Type to Profiles and select the following security profiles to attach to the policy rule:

      • For Antivirus, select default
      • For Vulnerability Protection, select strict
      • For Anti-Spyware, select strict
      • For URL Filtering, select default
      • For File Blocking, select basic file blocking
      • For WildFire Analysis, select default
   9. Verify that Log at Session End is enabled. Only traffic that matches a Security policy rule will be logged.
   10. Click OK.

3. Enable access to general internet applications.

   This is a temporary rule that allows you to gather information about the traffic on your network. After you have more insight into which applications your users need to access, you can make informed decisions about which applications to allow and create more granular application-based rules for each user group.

   1. Select PoliciesSecurity and Add a rule.
   2. In the General tab, enter a descriptive Name for the rule.
   3. In the Source tab, set the Source Zone to Users.
   4. In the Destination tab, set the Destination Zone to Internet.
   5. In the Applications tab, Add an Application Filter and enter a Name. To safely enable access to legitimate web-based applications, set the Category in the application filter to general-internet and then click OK. To enable access to encrypted sites, Add the ssl application.
   6. In the Service/URL Category tab, keep the Service set to application-default.
   7. In the Actions tab, set the Action Setting to Allow.
   8. Set Profile Type to Profiles and select the following security profiles to attach to the policy rule:

      • For Antivirus, select default
      • For Vulnerability Protection, select strict
      • For Anti-Spyware, select strict
      • For URL Filtering, select default
      • For File Blocking, select strict file blocking
      • For WildFire Analysis, select default
   9. Verify that Log at Session End is enabled. Only traffic that matches a security rule will be logged.
   10. Click OK.

4. Enable access to data center applications.

   1. Select PoliciesSecurity and Add a rule.
   2. In the General tab, Enter a descriptive Name for the rule.
   3. In the Source tab, set the Source Zone to Users.
   4. In the Destination tab, set the Destination Zone to Data Center Applications.
   5. In the Applications tab, Add the applications that correspond to the network services you want to safely enable. For example, select activesync, imap, kerberos, ldap, ms-exchange, and ms-lync.
   6. In the Service/URL Category tab, keep the Service set to application-default.
   7. In the Actions tab, set the Action Setting to Allow.
   8. Set Profile Type to Profiles and select the following security profiles to attach to the policy rule:

      • For Antivirus, select default
      • For Vulnerability Protection select strict
      • For Anti-Spyware select strict
      • For URL Filtering select default
      • For File Blocking select basic file blocking
      • For WildFire Analysis select default
   9. Verify that Log at Session End is enabled. Only traffic that matches a security rule will be logged.
   10. Click OK.

5. Save your policy rules to the running configuration on the NGFW.

   Click Commit.
6. To verify that you have set up your basic policies effectively, test whether your Security policy rules are being evaluated and determine which Security policy rule applies to a traffic flow.

   For example, to verify the policy rule that will be applied for a client in the user zone with the IP address 10.35.14.150 when it sends a DNS query to the DNS server in the data center:

   1. Select DeviceTroubleshooting and select Security Policy Match (Select Test).
   2. Enter the Source and Destination IP addresses.
   3. Enter the Protocol.
   4. Select dns (Application)
   5. Execute the Security policy match test.