>
    Strata Copilot
    Set Up a Basic Security Policy (SCM)
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Perform the Initial Setup and Configuration for NGFWs
    4. Set Up a Basic Security Policy
    5. Set Up a Basic Security Policy (SCM)
    Download PDF
    Next-Generation Firewall

    Set Up a Basic Security Policy (SCM)

    Table of Contents

    Set Up a Basic Security Policy (SCM)

    Set up a basic security profile for Strata Cloud Manager.
    For more information about setting up Security Policy Rules in Strata Cloud Manager, click here.
    1. Add a rule.
      1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyAdd RuleSecurity Rule and select Pre-Rule and build your rule. Components marked with an asterisk(*) are mandatory.
      2. In the General tab, enter a descriptive Name for the rule.
      3. Give a Description for your rule's intent.
      4. Add a Tag to your rules to group them using keywords or phrases.
      5. Limit a security rule to specific times using a Schedule.
    2. Define the matching criteria for the source fields in the packet.
      1. In the Source tab, select a Source Zone.
      2. Specify a Source IP Address or leave the value set to ny.
      3. You can search for specific Usersor User Groups to enforce policy for individual users or a group of users. Specify the match criteria that define which users and user groups.
        • Sub string or partial string search is not supported for performance reasons.
        • Entire string search is possible when delimiters such as space and hyphen is present.
        • When number of users is more than 500 then string search use quotes with exact string
    3. Define the matching criteria for the destination fields in the packet.
      1. In the Destination tab, set the Zone.
      2. Specify a Destination IP Address or leave the value set to any.
    4. Specify the application that the rule will allow or block.
      1. In the Applications tab, Add the Application you want to safely enable. You can select multiple applications or you can use application groups or application filters.
      2. In the Service/URL Category tab, keep the service set to application-default to ensure that any applications that the rule allows are allowed only on their standard ports. An administrator can also use an existing App-ID signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined in ObjectsApplications
    5. (Optional) Specify a URL category as match criteria for the rule.
      Select URL Category or Tenant Restriction to specify a specific TCP and/or UDP port number, a URL category, a tenant restriction as match criteria in the security rule. If you select a URL category, only web traffic will match the rule and only if the traffic is destined for that specified category.
    6. Define what action you want the firewall to take for traffic that matches the rule.
      In the Actions tab, select an Action.
      • Allow
      • Deny
      • Drop
      • Reset Client
      • Reset Server
      • Reset Both Client and Server
    7. Configure the log settings.
      • By default, the rule is set to Log at Session End. You can disable this setting if you don’t want any logs generated when traffic matches this rule or you can select Log at Session Start for more detailed logging.
      • Select a Log Forwarding profile.
    8. Attach security profiles to scan all allowed traffic for threats.
      In ActionsProfile Group, select a Profile Group from the drop-down to attach to the rule.
    9. Select Save to save the security rule, then Push Config to your devices.

    © 2025 Palo Alto Networks, Inc. All rights reserved.