All Policy Types

Network Security

All Policy Types

Table of Contents

All Policy Types

Where Can I Use This?
What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Cloud Managed)
  • Prisma Access (Panorama Managed)
Check for any license or role requirements for the products you're using:
  • Prisma Access license or AIOps for NGFW license
In addition to Security Policy, there are other policy types that are supported across the Network Security platform. The policy types supported on Prisma Access are: Security (Corporate Access and Internet Access), QoS, Decryption, Application Override, and Authentication.
You can create various types of policies to protect your network from threats and disruptions, as well as help you optimize network resource allocation. Rules are evaluated from top to bottom and when traffic matches against the defined rule criteria, subsequent rules are not evaluated. You should order more specific policy rules above the more generic ones to enforce the best match criteria possible. A log is generated for traffic that matches a policy rule when logging is enabled for the rule. Logging options are configurable for each rule.
Best practice policy rules are available for most policy types and help you to get started quickly and securely. While these rules cannot be edited to ensure that you always have a minimum level of security readily available, you can clone them if you want to use them as a foundation for customizing your policy.
Policy Type
Determine whether to block or allow a session based on traffic attributes such as the source and destination security zone, the source and destination IP address, the application, user, and the service.
Determine which packets need translation and how to do the translation. Both source address and/or port translation and destination address and/or port translation are supported.
Identify traffic requiring QoS treatment (either preferential treatment or bandwidth-limiting) using a defined parameter or multiple parameters and assign it a class.
Policy Based Forwarding
Identify traffic that should use a different egress interface than the one that would normally be used based on the routing table.
Identify encrypted traffic that you want to inspect for visibility, control, and granular security. Decryption policy rules allow you to define traffic to decrypt and the type of SSL decryption, you want to perform on the indicated traffic. All you need to do to start decrypting traffic is set up the certificates Prisma Access requires to act as a trusted third-party to a session. For everything else, we’ve built in best practice decryption settings, including settings to exclude sensitive content from decryption, as well as sites that are known to not work well when decrypted.
SSH Proxy decryption is not supported in Prisma Access Cloud Management.
Tunnel Inspection
Enforce Security, DoS Protection, and QoS policies on tunneled traffic, and to view tunnel activity.
Application Override
Identify sessions that you do not want processed by the App-ID engine, which is a Layer-7 inspection. Traffic matching an application override policy forces the session to be handled as a regular stateful inspection at Layer-4 and saves application processing times. You can create an application override policy rule when you do not want traffic inspection for custom applications between known IP addresses. For example, if you have a custom application on a non-standard port that you know users accessing the application are sanctioned, and both are in the Trust zone, you can override the application inspection requirements for the trusted users accessing the custom application.
Identify traffic that requires users to authenticate.
DoS Protection
Identify potential denial-of-service (DoS) attacks and take protective action in response to rule matches.
Determine link path management between the source and destination zones when link path health degrades below the approved, configured health metrics.

Recommended For You