Building Blocks in a Security Policy Rule
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Building Blocks in a Security Policy Rule
- Policies > Security
The following section describes each component in a Security policy rule. When
you create a Security policy rule, you can configure the options
described here.
Building Blocks in a
Security Rule | Configured In | Description |
---|---|---|
Rule number | N/A | The firewall automatically numbers each
rule and the order of the rules will change as rules are moved.
When you filter rules to match specific filters, each rule displays
with its number in the context of the complete set of rules in the
rulebase and its place in the evaluation order. Panorama independently
numbers pre-rules and post-rules. When Panorama pushes rules to
a managed firewall, the rule numbering incorporates hierarchy in pre-rules,
firewall rules, and post-rules within a rulebase and reflects the
rule sequence and its evaluation order. |
Name | General | Enter a name to identify the rule. The name
is case-sensitive and can have up to 63 characters, which can be
letters, numbers, spaces, hyphens, and underscores. The name must
be unique on a firewall and, on Panorama, unique within its device
group and any ancestor or descendant device groups. |
Rule Type | Specifies whether the rule applies to traffic
within a zone, between zones, or both:
| |
Description | Enter a description for the policy (up to
1,024 characters). | |
Tags | Specify the tag for the policy. A
policy tag is a keyword or phrase that allows you to sort or filter
policies. This is useful when you have defined many policies and
want to view those that are tagged with a particular keyword. For
example, you may want to tag certain rules with specific words like
Decrypt and No-decrypt, or use the name of a specific data center
for policies associated with that location. You can also add
tags to the default rules. | |
Source Zone | Source | Add source zones
(default is Any). Zones must be of the same
type (Layer 2, Layer 3, or virtual wire). To define new zones, refer
to Network
> Zones. Multiple zones can be used to simplify management.
For example, if you have three different internal zones (Marketing,
Sales, and Public Relations) that are all directed to the untrusted
destination zone, you can create one rule that covers all cases. |
Source Address | Source | Add source addresses,
address groups, or regions (default is Any).
Select from the drop-down or select Address object, Address
Group, or Regions (bottom of
the drop-down) to specify the settings. Objects>Addresses and Objects>AddressGroups describe
the types of address objects and address groups, respectively, that
a Security policy rule supports. Selecting the Negate option
will apply the rule to source addresses from the specified zone
except for the addresses specified. |
Source User | Source | Add the source users
or groups of users subject to the policy:
If the firewall collects user information
from a RADIUS, TACACS+, or SAML identity provider server and not
from the User-ID™ agent, the list of users does not display; you
must enter user information manually. |
Source Device | Source | Add the host devices
subject to the policy:
|
Source HIP Profile | Source | Add host information
profiles (HIP) to enable you to collect information about the security
status of your end hosts, such as whether they have the latest security patches
and antivirus definitions installed. Using host information profiles
for policy enforcement enables granular security that ensures that
the remote hosts accessing your critical resources are adequately maintained
and in adherence with your security standards before they are allowed
to access your network resources. The following source HIP profiles
are supported:
|
Source Subscriber | Source | Add one or more source
subscribers in a 5G or 4G network using the following formats:
|
Source Equipment | Add one or more source
equipment IDs in a 5G or 4G network using the following formats:
| |
Network Slice | Source | Add one or more source
network slices based on network slice service type (SST) in a 5G
network, as follows:
|
Destination Zone | Destination | Add destination zones
(default is any). Zones must be of the same
type (Layer 2, Layer 3, or virtual wire). To define new zones, refer
to Network
> Zones. Multiple zones can be used to simplify management.
For example, if you have three different internal zones (Marketing,
Sales, and Public Relations) that are all directed to the untrusted
destination zone, you can create one rule that covers all cases. On
intrazone rules, you cannot define a Destination Zone because these
types of rules match only traffic with a source and a destination
within the same zone. To specify the zones that match an intrazone
rule, you need to specify only the Source Zone. |
Destination Address | Add destination addresses,
address groups, or regions (default is Any).
Select from the drop-down or click Address object, Address
Group, or Regions (bottom of
the drop-down) to specify address settings. Objects>Addresses and Objects>AddressGroups describe
the types of address objects and address groups, respectively, that
a Security policy rule supports. Selecting the Negate option
will apply the rule to destination addresses in the specified zone
except for the addresses specified. | |
Destination Device | Add the host devices
subject to the policy:
| |
Application | Application | Add specific applications
for the Security policy rule. If an application has multiple functions,
you can select the overall application or individual functions.
If you select the overall application, all functions are included
and the application definition is automatically updated as future functions
are added. If you are using application groups, filters, or
containers in the Security policy rule, you can view details of
these objects by hovering over the object in the Application column,
opening the drop-down, and selecting Value. This
allows you to view application members directly from the policy
without having to navigate to the Object tab. Always specify one or more applications so
that only applications you want on your network are allowed, which
reduces the attack surface and gives you greater control over network
traffic. Don’t set the application to any,
which allows any application’s traffic and increases the attack
surface. |
Service | Service/URL Category | Select the services that you want to limit
to specific TCP or UDP port numbers. Choose one of the following
from the drop-down:
When you use this option,
the firewall still checks for all applications on all ports, but
applications are allowed only on their default ports and protocols. For most applications, use application-default to
prevent the application from using non-standard ports or exhibiting
other evasive behaviors. If the default port for the application
changes, the firewall automatically updates the rule to the correct
default port. For applications that use non-standard ports, such
as internal custom applications, either modify the application or
create a rule that specifies the non-standard ports and apply the
rule only to the traffic that requires the application.
|
URL Category | Select URL categories for the security rule.
| |
Action Setting | Actions | Select the Action the
firewall takes on traffic that matches the attributes defined in
a rule:
Because
the default deny action varies by application, the firewall could
block the session and send a reset for one application while it
silently drops the session for another application.
To view the ICMP Unreachable Packet
Rate configured on the firewall, view Session Settings (DeviceSetupSession). To
override the default action defined on the predefined interzone
and intrazone rules: see Overriding
or Reverting a Security Policy Rule. |
Profile Setting | Actions | To specify the additional checking that
the firewall performs on packets that match the Security profile
rule, select individual Antivirus, Vulnerability Protection, Anti-Spyware,
URL Filtering, File Blocking, Data Filtering, WildFire Analysis, Mobile Network
Protection, and SCTP Protection profiles. To specify
a profile group rather than individual profiles, select the Profile
Type to be Group and then select
a Group Profile. To define new profiles
or profile groups, click New next to the
appropriate profile or select New Group Profile. You
can also attach Security Profiles (or profile groups) to the default
rules. |
Log Setting and Other Settings | Actions | To generate entries in the
local traffic log for traffic that matches this rule, select the
following options:
If
the session start or end entries are logged, drop and deny entries
are also logged.
The
generation of threat log entries is determined by the Security Profiles.
Define New log profiles as needed (refer
to Objects
> Log Forwarding). Create
and enable Log Forwarding profiles to send logs to dedicated external
storage devices. This preserves the logs because the firewall has limited
log storage space and when the space is consumed, the firewall purges
the oldest logs. You can also modify the log settings
on the default rules. Specify any combination of the following options:
|
Basics | Rule Usage |
|
Activity | Rule Usage |
|
Applications | Rule Usage |
|
Traffic (past 30 days) | Rule Usage |
|
Any (target all devices) Panorama
only | Target | Enable (check) to push the policy rule to
all managed firewalls in the device group. |
Devices Panorama only | Select one or more managed firewalls associated
with the device group to push the policy rule to. | |
Tags Panorama only | Add one or more tags
to push the policy rule to managed firewalls in the device group
with the specified tag. | |
Target to all but these specified devices
and tags Panorama only | Enable (check) to push the policy rule to
all managed firewalls associated with the device group except for
the selected device(s) and tag(s). |