All Policy Types
Where Can I Use This? | What Do I Need? |
NGFW (Cloud Managed) NGFW (PAN-OS & Panorama Managed) Prisma Access (Cloud Managed) Prisma Access (Panorama Managed)
|
Check for any license or role requirements for the products you're
using: Prisma Access license or AIOps for NGFW license
|
In addition to Security Policy, there are other policy types that are supported across the
Network Security platform. The policy types supported on Prisma Access are: Security
(Corporate Access and Internet Access), QoS, Decryption, Application Override, and
Authentication.
You can create various types of policies to protect your network from
threats and disruptions, as well as help you optimize network resource allocation. Rules
are evaluated from top to bottom and when traffic matches against the defined rule
criteria, subsequent rules are not evaluated. You should order more specific policy
rules above the more generic ones to enforce the best match criteria possible. A log is
generated for traffic that matches a policy rule when logging is enabled for the rule.
Logging options are configurable for each rule.
Best practice policy rules are available for most policy types and help you to get
started quickly and securely. While these rules cannot be edited to ensure that you
always have a minimum level of security readily available, you can clone them if you
want to use them as a foundation for customizing your policy.
| Determine whether to block or allow a session
based on traffic attributes such as the source and destination security
zone, the source and destination IP address, the application, user, and
the service. |
| Determine which packets need translation and
how to do the translation. Both source address and/or port translation
and destination address and/or port translation are supported. |
| Identify traffic requiring QoS treatment (either
preferential treatment or bandwidth-limiting) using a defined parameter or
multiple parameters and assign it a class. |
| Identify traffic that should use a different egress
interface than the one that would normally be used based on the
routing table. |
| Identify encrypted traffic that you want to inspect for visibility, control, and granular
security. Decryption policy rules allow you to define traffic to
decrypt and the type of SSL decryption, you want to perform on the
indicated traffic. All you need to do to start decrypting traffic is
set up the certificates Prisma Access requires to act as a trusted
third-party to a session. For everything else, we’ve built in best
practice decryption settings, including settings to exclude
sensitive content from decryption, as well as sites that are known
to not work well when decrypted.
SSH Proxy decryption is not
supported in Prisma Access Cloud Management. |
| Enforce Security, DoS Protection, and QoS policies
on tunneled traffic, and to view tunnel activity. |
| Identify sessions that you do not want processed by the App-ID engine, which is a Layer-7
inspection. Traffic matching an application override policy forces
the session to be handled as a regular stateful inspection at
Layer-4 and saves application processing times. You can create an
application override policy rule when you do not want traffic
inspection for custom applications between known IP addresses. For
example, if you have a custom application on a non-standard port
that you know users accessing the application are sanctioned, and
both are in the Trust zone, you can override the application
inspection requirements for the trusted users accessing the custom
application. |
| Identify traffic that requires users to authenticate. |
| Identify potential denial-of-service (DoS) attacks
and take protective action in response to rule matches. |
| Determine link path management between the
source and destination zones when link path health degrades below
the approved, configured health metrics. |
