Focus

Next-Generation Firewall

Set Up a Basic Security Policy (SCM)

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Set Up a Basic Security Policy (SCM)

Set up a basic security profile for Strata Cloud Manager.

For more information about setting up Security Policy Rules in Strata Cloud Manager, click here.

Add a rule.
1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyAdd RuleSecurity Rule and select Pre-Rule and build your rule. Components marked with an asterisk(*) are mandatory.
2. In the General tab, enter a descriptive Name for the rule.
3. Give a Description for your rule's intent.
4. Add a Tag to your rules to group them using keywords or phrases.
5. Limit a security rule to specific times using a Schedule.
Define the matching criteria for the source fields in the packet.
1. In the Source tab, select a Source Zone.
2. Specify a Source IP Address or leave the value set to ny.
3. You can search for specific Usersor User Groups to enforce policy for individual users or a group of users. Specify the match criteria that define which users and user groups.
  Sub string or partial string search is not supported for performance reasons.
  Entire string search is possible when delimiters such as space and hyphen is present.
  When number of users is more than 500 then string search use quotes with exact string
Define the matching criteria for the destination fields in the packet.
1. In the Destination tab, set the Zone.
2. Specify a Destination IP Address or leave the value set to any.
Specify the application that the rule will allow or block.
1. In the Applications tab, Add the Application you want to safely enable. You can select multiple applications or you can use application groups or application filters.
2. In the Service/URL Category tab, keep the service set to application-default to ensure that any applications that the rule allows are allowed only on their standard ports. An administrator can also use an existing App-ID signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined in ObjectsApplications
(Optional) Specify a URL category as match criteria for the rule.

Select URL Category or Tenant Restriction to specify a specific TCP and/or UDP port number, a URL category, a tenant restriction as match criteria in the security rule. If you select a URL category, only web traffic will match the rule and only if the traffic is destined for that specified category.
Define what action you want the firewall to take for traffic that matches the rule.
In the Actions tab, select an Action.
- Allow
- Deny
- Drop
- Reset Client
- Reset Server
- Reset Both Client and Server
Configure the log settings.
- By default, the rule is set to Log at Session End. You can disable this setting if you don’t want any logs generated when traffic matches this rule or you can select Log at Session Start for more detailed logging.
- Select a Log Forwarding profile.
Attach security profiles to scan all allowed traffic for threats.

In ActionsProfile Group, select a Profile Group from the drop-down to attach to the rule.
Select Save to save the security rule, then Push Config to your devices.

Next-Generation Firewall Docs

Set Up a Basic Security Policy (SCM)

Next-Generation Firewall Docs

Set Up a Basic Security Policy (SCM)

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner