Recommendations for Security Policy Rules
Focus
Focus
Enterprise DLP

Recommendations for Security Policy Rules

Table of Contents

Recommendations for Security Policy Rules

Recommendations and tips for creating Security policy rules using
Enterprise Data Loss Prevention (E-DLP)
data profiles.
Where Can I Use This?
What Do I Need?
  • NGFW (Panorama Managed)
  • Prisma Access (Managed by Strata Cloud Manager)
  • SaaS Security
  • NGFW (Cloud Managed)
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • NGFW (Panorama Managed)
    —Support and
    Panorama
    device management licenses
  • Prisma Access (Managed by Strata Cloud Manager)
    Prisma Access
    license
  • SaaS Security
    SaaS Security
    license
  • NGFW (Cloud Managed)
    —Support and
    AIOps for NGFW Premium
    licenses
Or any of the following licenses that include the
Enterprise DLP
license
  • Prisma Access
    CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
    license
  • Data Security
    license
How you create your Security policy rules using
Enterprise Data Loss Prevention (E-DLP)
and how you order those Security policy rules within your rulebase has significant impact on your security outcomes. Review the recommendations and tips for creating a Security policy rule using
Enterprise DLP
to prevent exflitration of sensitive data and strengthen your overall security posture.
  • For both new and existing security administrators, review the Security Policy Best Practices.
    Regardless of the Security product you use, Palo Alto Networks recommends you review and implement these best practices when creating or updating your Security policy rulebase. These best practices are designed to reduce your attack surface and help safeguard your network and business assets.
  • Before you associate a data profile with a Security policy rule, review the recommendations to reduce false positive detections.
    False positive detections are commonly caused by traffic match criteria in your data patterns that are too generalized or may be instances where the
    Enterprise DLP
    machine learning (ML) models need to be manually trained. Create specific and narrow data pattern match criteria to add to your data profiles to help reduce the likelihood of false positive detections. This can help you triage and more easily implement changes when sensitive data isn't detected and blocked.
  • Consider the Security policy rule orderings in your policy rulebase.
    Security action is taken based on the first Security rule the inspected traffic matches. If the first policy rule is too broad or overly permissive, it may result in sensitive data leaving your network.
    • Order Security policy rules with more granular and specific data profiles, or for the more sensitive and business-critical applications, at the top of the policy rulebase.
      This lets you filter traffic for sanctioned applications based on the App-ID with the
      Enterprise DLP
      data profile for a specific set of users, traffic, or applications.
    • Order Security policy rules with broad data profiles, or for the less risky applications and set of users, at the bottom of the policy rulebase.
      This lets you filter traffic based on the App-ID category and can use predefined data profiles for one or more less risky sets of users, traffic, or applications.
  • Consider the traffic direction and whether you want a different security action taken depending on whether the traffic is a download or an upload.
    Review the supported applications to understand which applications support download inspection, upload inspection, or both. You can create specific data profiles if you want to take different security actions based on whether the traffic is a download or an upload.
  • Consider the scope of your Security policy rule.
    • Match Criteria Source
      and
      Destination
      — Add specific addresses or users, and don't select
      Any
      .
      For granular Security policy rules, Palo Alto Networks recommends you select one or more specific users or a single user group. For broad Security policy rules, you can select multiple user groups.
    • Application/Service
      —Select one or more of the supported
      Enterprise DLP
      supported applications.
      For a granular Security policy rules, Palo Alto Networks recommends adding only a single application. For broad Security policy rules, you can create an application group to which you want to apply the same security requirements.
    • (
      Strata Cloud Manager
      )
      Profile Group
      —For granular and specific match criteria, add a custom data profile with the specific match criteria you went to inspect for and block to the Security Profile Group you want to associate with the Security policy rule.
      For broad match criteria, you can use the predefined
      best-practice
      Security Profile Group or create a new Security Profile Group with one of the predefined data profiles.
    • (
      Panorama
      )
      Profile Settings - Profiles
      or
      Groups
      —For granular and specific match criteria, add a custom data profile or profile group with the specific match criteria you want to inspect for and block. For broad match criteria, you can use a predefined data profile.
  • Take advantage of External Dynamic Lists (EDL) to allow common services on your network.
    EDLs are dynamic and allow you to make changes to endpoints you want to protect without requiring additional commits when a chance is made. Custom EDLs are useful because they can be hosted on a web server as a simple text file. Alternatively, you can use the Feed URLs provided by the EDL Hosting Service for supported applications.

Recommended For You