Defining Policies on Panorama
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Defining Policies on Panorama
Device Groups on Panorama™ allow you to centrally manage
firewall policies. You create policies on Panorama either as Pre
Rules or Post Rules; Pre Rules and Post Rules
allow you to create a layered approach for implementing policy.
You can define Pre rules and Post rules in a shared context,
as shared policies for all managed firewalls, or in a device group
context, to make the rules specific to a device group. Because you
define Pre rules and Post Rules on Panorama and then push them from
Panorama to the managed firewalls, you are able to view the rules on
the managed firewalls but you can edit the Pre Rules and Post Rules
only in Panorama.
- Pre Rules—Rules that are added to the top of the rule order and are evaluated first. You can use pre-rules to enforce the Acceptable Use Policy for an organization. For example, you can block access to specific URL categories or allow DNS traffic for all users.
- Post Rules—Rules that are added at the bottom of the rule order and are evaluated after the pre-rules and rules that are locally defined on the firewall. Post-rules typically include rules to deny access to traffic based on the App-ID™, User-ID™, or Service.
- Default Rules—Rules that specify how the firewall handles traffic that does not match any Pre Rules, Post Rules, or local firewall rules. These rules are part of the predefined Panorama configuration. To Override and enable editing of select settings in these rules, see Overriding or Reverting a Security Policy Rule.
Preview Rules to view a list of all rules
before you push the rules to the managed firewalls. Within each
rulebase, the hierarchy of rules is visually demarcated for each
device group (and managed firewall) to make it easier to scan through
a large numbers of rules.
When you add a new rule, static operational data for the rule
are displayed. The universally unique identifier (UUID) column displays
the 36-character UUID for the rule. The firewall generates the UUID
on a per-rule basis. However, if you are pushing rules from Panorama,
these rules have the same UUID, which is also displayed in the Combined
Rules Preview. The Created column displays
the time and date the rule was added to the rulebase. Additionally,
the Modified column displays the time and
date for the last time the rule was edited. If a policy rule was
created before upgrading to PAN-OS 9.0, the First Hit data
is used to establish the Created date. If
no First Hit data is available for the rule,
the time and date the firewall or Panorama management server was
upgraded to PAN-OS 9.0 is used to establish the Created date.
When you add or edit a rule in Panorama, a Target tab displays.
You can use this tab to apply the rule to specific firewalls or
descendant device groups of the Device Group (or
Shared location) where the rule is defined. In the Target tab,
you can select Any (default), which means
the rule applies to all the firewalls and descendant device groups.
To target specific firewalls or device groups, deselect Any and
select specific firewalls or device groups by name. To exclude specific
firewalls or device groups, deselect Any,
select the specific firewalls and device groups by name, and select Target
to all but these specified devices. If the list of device
groups and firewalls is long, you can apply Filters to search the
entries by attributes (such as Platforms) or by a text string for
matching names.
After you successfully add and push a rule in Panorama, Rule Usage displays
whether the rule is Used by all devices in the device group, Partially
Used by some devices in the device group, or Unused by devices in
the device group. Panorama determines rule usage based on managed
firewalls with Policy Rule Hit Count (enabled by default). In the
Panorama context, you can view the rule usage for a Shared policy
rule across all device groups. Additionally, you can change the
context to an individual device group and view the total policy
rule usage across all devices in the device group. Preview
Rules will show the Hit Count, Last
Hit, and First Hit for each policy
rule for the device group. The total traffic hit count, as well
as the first and last hits timestamps, persist through reboot, upgrade,
and dataplane restart events. See Monitor Policy Rule Usage.
Group Rules by Tag to apply a tag that
allows you to group like policy rules for better visualization of
rule functions and provides easier management of policy rules across
your rulebase. Rules grouped by tags show the list of tag groups,
but maintain the rule priority listing. You can append rules to
the end of a tag group, move rules to a different tag group, apply
additional tags to rules in a tag group, and filter or search using
the group tag.
To track changes to policy rules, add an Audit Comment to
describe the changes you make to and why a rule was created or modified.
After you enter an audit comment is entered and configuration change
is committed, the audit comment is preserved in the Audit
Comment Archive where you can view all previous audit
comments for the selected rule. You can search for the audit comment
in Global Find. The Audit Comment Archive is read-only.
Administrative users who have access to the Policies tab can
export the policy rules that are displayed on the web interface
as PDF/CSV. See Export Configuration Table Data.
To create policies, see the relevant section for each rulebase: