Fri Dec 08 00:03:03 UTC 2023
Fri Dec 08 00:03:03 UTC 2023
Table of Contents
Where Can I Use This?
What Do I Need?
Check for any license or role requirements for the products you're using:
A label (up to 63 characters) that identifies the rule.
(for Panorama and PAN-OS only)
The Universally Unique Identifier (UUID) is a distinct 32-character string that permanently identifies rules so that you can track a rule regardless of any changes to it, such as the name.
Specifies whether the rule applies to traffic within a zone, between zones, or both:
The zone from which the traffic originates.
The zone at which the traffic terminates. If you use NAT, make sure to always reference the post-NAT zone.
The application that you wish to control. The App-ID is used, the traffic classification technology, to identify traffic on your network. App-ID provides application control and visibility in creating security policy rules that block unknown applications, while enabling, inspecting, and shaping those that are allowed.
Specifies an Allow or Deny action for the traffic based on the criteria you define in the rule. When you configure your environment to deny traffic, it either resets the connection or silently drops packets. To provide a better user experience, you can configure granular options to deny traffic instead of silently dropping packets, which can cause some applications to break and appear unresponsive to the user. For more details, see Security Rule Actions.
A text field, up to 1,024 characters, used to describe the rule.
Define host IP addresses, subnets, address objects (of type IP netmask, IP range, FQDN, or IP wildcard mask), address groups, or country-based enforcement. If you use NAT, make sure to always refer to the original IP addresses in the packet (i.e. the pre-NAT IP address).
The location or destination for the packet. Define IP addresses, subnets, address objects (of type IP netmask, IP range, FQDN, or IP wildcard mask), address groups, or country-based enforcement. If you use NAT, make sure to always refer to the original IP addresses in the packet (i.e. the pre-NAT IP address).
Using the URL Category as match criteria allows you to customize security profiles (Antivirus, Anti-Spyware, Vulnerability, File-Blocking, Data Filtering, and DoS) on a per-URL-category basis. For example, you can prevent.exe file download/upload for URL categories that represent higher risk while allowing them for other categories. This functionality also allows you to attach schedules to specific URL categories (allow social-media websites during lunch & after-hours), mark certain URL categories with QoS (financial, medical, and business), and select different log forwarding profiles on a per-URL-category-basis.
Although you can manually configure URL categories to take advantage of the dynamic URL categorization updates available, you must purchase a URL filtering license.
To block or allow traffic based on URL category, you must apply a URL Filtering profile to the security policy rules. Define the URL Category as Any and attach a URL Filtering profile to the security policy.
Allows you to select a Layer 4 (TCP or UDP) port for the application. You can choose any, specify a port, or use application-default to permit use of the standards-based port for the application. For example, for applications with well-known port numbers such as DNS, the application-default option will match against DNS traffic only on TCP port 53. You can also add a custom application and define the ports that the application can use.
For inbound allow rules (for example, from untrust to trust), using application-default prevents applications from running on unusual ports and protocols. Application-default is the default option; while the checks are still performed for all applications on all ports, with this configuration, applications are only allowed on their standard ports/protocols.
Allows you to identify clients with Host Information Profile (HIP) and then enforce access privileges.
Allow you to define logging for the session, log forwarding settings, change Quality of Service (QoS) markings for packets that match the rule, and schedule when (day and time) the security rule should be in effect.
Allows the traffic.
Silently drops the traffic; for an application, it overrides the default deny action. A TCP reset isn't sent to the host/application.
For Layer 3 interfaces, to optionally send an ICMP unreachable response to the client, set Action:
Dropand enable the
Send ICMP Unreachablecheck box. When enabled, the ICMP code is sent for communication with the destination is administratively prohibited—ICMPv4: Type 3, Code 13; ICMPv6: Type 1, Code 1.
Sends a TCP reset to the client-side device.
Sends a TCP reset to the server-side device.
Sends a TCP reset to both the client-side and server-side devices.
A reset is sent only after a session is formed. If the session is blocked before a 3-way handshake is completed, the reset won't be sent.
For a TCP session with a reset action, an ICMP Unreachable response isn't sent.
For a UDP session with a drop or reset action, if the
ICMP Unreachablecheck box is selected, an ICMP message to the client is sent.