Create and Manage Internet Access Rule
Focus
Focus
Network Security

Create and Manage Internet Access Rule

Table of Contents

Create and Manage Internet Access Rule

Learn how you can create, manage, and reorder Internet Access rules in the security rulebase.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
Check for any license or role requirements for the products you're using.
  • Prisma Access license or AIOps for NGFW license
You can create, manage, and reorder Internet Access rules in the security rulebase. Each Internet Access rule generates multiple security rules when implemented. The rules inherit from folders and can also come from snippets. They reference objects and configurations in their scope. This method integrates internet access control with the existing security rule management.

Create an Internet Access Rule (Strata Cloud Manager)

Learn how to create an Internet Access rule in Strata Cloud Manager
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
  • AIOps for NGFW license or Prisma Access license.
  • SaaS Security Inline license for tenant control feature.
  1. To create an Internet Access rule in Strata Cloud Manager:
    1. Go to ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyAdd RuleInternet Access Rule.
    2. Name your policy. You can use up to 63 characters.
    3. Add an optional Description. You can use up to 1,024 characters.
    4. Set Schedules to manage policy rules that need enforcement at regular intervals.
    5. Add Tags to your rules for easy filtering. This helps when you have defined many rules and wish to review tags with specific keywords.
    6. Configure Log at Sessions. This is enabled by default. You can disable this setting if you don’t want to generate logs when traffic matches this rule.
    7. Choose to Allow or Block web application and URLs.
  2. Define match criteria.
    1. Specify Source Users including users, user groups, or IP addresses as source.
    2. Use Advanced Source and Destination settings to manage source or destination IP addresses, service ports, or device posture.
      • In Source selection, define traffic enforcement based on source. Set the Source Address or leave as Any.
      • Select Address, Address Groups, or Regions.
        If you decide to Negate a region as source address, add all regions with private IP addresses to avoid connectivity loss.
      • Add Device Posture profile to use device state information for policy enforcement.
      • Define destination address or leave as Any.
        If you decide to Negate a region as destination address, add all regions with private IP addresses to avoid connectivity loss.
      • Specify application Services to allow or block. Add the application you want to safely enable. You can select multiple applications or use the application groups or application filters.
  3. Use the Access Control section to configure controls for web applications and URLs.
    • Use the Internet Application area to restrict access to specific features for an application and to associate profiles with an application. You can complete the following actions:
      • For a subset of applications, you can restrict access to specific features. These features vary on a per-application basis. For example, you might want to allow Gmail, but block Video Chat within Gmail.
        For a subset of these applications, you can also enforce tenant control to restrict access to features for individual tenants. For the applications that support tenant control, you can create differentiated policy rules within the same application. You can tailor the functional controls specifically to SaaS application tenants allowing for granular control. This provides control over application usage on a per-tenant basis.
      • You can associate file control profiles with an application. File control profiles enable the selection of actions for incoming files through the application. These actions vary on a per-application basis. Custom profiles allow preconfiguration of file control rules. Internet Access rules then incorporate these custom profiles. This approach grants fine-grained control over application features and file handling in the network.
      • You can associate a DLP profile with an application. A DLP profile enables the scanning and enforcement of actions on sensitive data leaving the network through the application. Internet Access rules then incorporate the DLP rule.
      1. Select one or more applications in the Internet Application area.
      2. Expand the Advanced Application Settings. You can apply the advanced settings for an application or for individual application tenants.
        • To restrict access to specific features for an application and to associate profiles with the application, complete the following steps:
          1. Click the links in the application's table to edit the Permitted Functions, File Control Profile, or DLP Profile.
          2. Edit the settings and Update.
        • To restrict access to specific features for individual application tenants, complete the following steps:
          1. Position the Enforce Tenant Control toggle to the on position.
            The application's table displays the following predefined rules. These rules act as general fallback rules, but they identify applications and individual tenants at different signature depths.
            RulePurpose
            Any
            A tenant-based rule that applies to all of the application's tenants. This rule identifies tenants using the tenant signature and serves as a catch-all for tenants that are not included in the custom tenant-level rules you create.
            App-ID Based Control
            An application-based rule that applies to the application as a whole. This rule detects App-IDs using the application signature. This application-level detection matches a broader set of network transactions than tenant-level detection because the firewall cannot extract tenant identifiers from every individual transaction payload.
            The system evaluates the rules in this table from top to bottom. The tenant-specific rules that you create are added to the top of the table and are evaluated before the predefined fallback rules.
            If you enable a function in a tenant-specific rule, verify that the same function is disabled in the Any rule. This ensures the restriction applies to all other application tenants except for the ones you explicitly specified in the tenant-specific rule.
            Because the firewall cannot identify the tenant for certain network transactions, you must also edit the App-ID Based Control rule to enable the same functions that you enabled in your tenant-specific rule. This configuration guarantees that permitted functions are not inadvertently blocked during transactions where the tenant signature is absent.
            For example, if you want to block uploads to Box except for uploads from a particular corporate tenant, you would:
            1. Create a tenant-specific rule to allow uploads to Box from that tenant. This rule is evaluated first.
            2. Verify that the Any rule does not allow uploads, preventing unauthorized tenants from uploading to Box.
            3. Update the App-ID Based Control rule to allow uploads to Box, ensuring transactions that lack tenant information are not blocked.
          2. Click Add to create a new rule for one or more tenants.
          3. In the Add Application Entry dialog, select the tenants. You can select Discovered Tenants from a list. These are the tenants that the system identified by examining network traffic and activity logs. You can also choose to Input Tenants manually.
            For the system to discover tenants, active network traffic must exist between your users and the SaaS application. Some of the the applications that support tenant control require you to enable additional HTTP header logging or session tracking for tenant control. The system cannot discover tenants for these applications unless these additional requirements are satisfied.
            The Input Tenants approach provides an alternative method for situations where the system has not yet discovered a tenant and requires you to know the tenant ID. For example, you might know that users are accessing three different tenant instances for the SaaS application. If the system has discovered only two, you can manually enter the tenant ID for the third. Similarly, if you are onboarding a new tenant and want to enforce controls before the system observes active network traffic, you can manually enter the tenant ID. The format of the tenant ID can differ depending on the SaaS application, but is typically the domain name or can be obtained from the SaaS application. If any tenants are shown in the Discovered Tenants list, you can use that information to determine the tenant ID format.
          4. Specify the permitted functions, file control profile, and DLP profile for the selected tenants.
          5. Click Update to save the tenant-specific rule.
    • Specify URL Category as a match criteria for your rule. When you select a URL Category or Tenant Restriction, you can specify TCP and UDP port numbers, URL categories, or tenant restrictions in security rules. Selecting a URL category ensures that the rule matches only web traffic destined for that specified category.
      Use Advanced URL Category Settings to capture controls for URLs such as decryption, credential leak detection, and user notification applications. You can also override data inspection profiles as needed.
  4. Use the Security Inspection options to bulk edit Applications and URL Categories.
    • Select the File Control Profile to change for all web applications.
    • Select the DLP Profile for all web applications.
    • Use the Advanced Security Inspection setting to disable specific security inspection for the policy.
  5. Save policy rule, then Push Config to your devices.