Add a Stacked Security Policy Rule
Table of Contents
Expand all | Collapse all
-
-
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Enable IoT Device Visibility in Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Prisma SD-WAN Standard VPN
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Clarity Reports
-
- Native SASE Integration with Prisma SD-WAN
- Connect a Single Prisma SD-WAN Site to Prisma Access
- Connect Multiple Prisma SD-WAN Sites to Prisma Access
- Edit Application Policy Network Rules
- Understand Service and Data Center Groups
- Verify Standard VPN Endpoints
- Configure Standard Groups
- Assign Domains to Sites
- Prisma SD-WAN Incidents and Alerts
Add a Stacked Security Policy Rule
Learn how to add security policy rules for stacked security
policies.
Each security policy set is a collection of
security policy rules. A security policy set has default security policy
rules which cannot be changed, removed, or deleted. You can create
custom security policy rules to take precedence over the default
security policy rules. You can directly add policy rules to a simple
path stack by clicking a simple path stack and then clicking
Add
Rule
. For advanced stacks, select a stack, then a policy
set within the stack, and then add policy rules to the policy set.- Add a security policy rule to a simple security stack.
- Select.ManagePoliciesSecuritySecurity StacksSimpleSelect a StackAdd Rule
- Select an action for the rule.Configure general allow or deny rules first, then add more specific access and deny rules and have them listed in higher priority order so that they are evaluated before the broader rules.On theInfotab:
- Enter aNamefor the policy rule, and optionally enter description and tags.
- Enter anorderbetween 1-65535 for the policy rule.An order of 1 indicates the highest priority for the policy rule. If you leave this field blank, the rule is given the least priority.
- (Optional)SelectDisable Ruleif you do not want the ION device to consider this rule.
- Select the action to take for traffic matching this rule as eitherAllow,Deny, orReject. The default action isAllow.
- Allow—Indicates that the ION device allows traffic that matches the parameters specified in the rule.
- Deny—Indicates that the ION device drops traffic without sending a RESET or ICMP HOST UNREACHABLE message to the client or server.
- Reject—Indicates that the ION device rejects traffic that matches the parameters specified in the rule and sends a RESET message to both the client and the server.
- (Optional)Configure services for the rule.Add protocols, source ports, and destination ports to make the policy rule more specific.On theServicestab:
- (Optional)ClickAdd Serviceto add protocols, source ports, and/or destination ports.
- (Optional)Select a protocol from theProtocoldrop-down.
- (Optional)SelectSource Port Rangesbetween 1 and 65535. ClickAdd Port Rangefor additional port ranges. You can add a maximum of 16 source port ranges.
- (Optional)SelectDestination Port Rangesbetween 1 and 65535. ClickAdd Port Rangefor additional port ranges. You can add a maximum of 16 destination port ranges.
- (Optional)Add zones and prefixes.While creating security policy rules, specify the source and destination zones to which the rule applies and establish one or more source and destination zones for each security rule. The source zone identifies the LAN network from where traffic originates, and the destination zone identifies traffic from the LAN network.Prefixes restrict access within a branch and filter out traffic to specific IP addresses within the particular source and destination zones.Configure security zones and security prefixes before using them in security policy rules.On theZones & Prefixestab:
- (Optional)Select a sourceZoneandPrefix.
- (Optional)Select a destinationZoneandPrefix.
- (Optional)Add applications.Applications are the core element of the security solution for controlling network traffic and implementing security policies. You can use the same application definitions and fingerprinting technologies for security policies, path selection for network policies, and for Quality of Service (QoS) implementation in QoS policies.On theApplicationstab:
- Select the applications to apply the policy rule.
You can select 16 applications for one policy rule.You can filter applications based on:- For sites 6.0.1 or above—Select this option to view system applications from PANW, applications common to PANW andPrisma SD-WAN, and custom applications defined inPrisma SD-WAN.
- For sites below 6.0.1—Select this option to view legacy system applications inPrisma SD-WAN, applications common to PANW and Prisma SD-WAN, and custom applications defined inPrisma SD-WAN.
- For any site—Use this option to view applications common to PANW andPrisma SD-WANalong with custom applications defined inPrisma SD-WAN.
(Optional)You can check the type of application -System (PANW, CGX),System (CGX), orCustomby selecting the application first and then using the filters to view the type of application.
- Add a security policy rule to an advanced security stack.
- Select.ManagePoliciesSecuritySecurity StacksAdvancedSecurity SetsSelect a Security SetAdd Rule
- Follow the steps above for adding a security policy rule to an advanced security stack.