Network Security
Create a Security Policy Rule
Table of Contents
Create a Security Policy Rule
Learn how to create a security rule.
Security
security rules allow you to enforce rules and take action, and can be as
general or specific as needed. The security rules are compared against the incoming
traffic in sequence, and because the first rule that matches the traffic is applied,
the more specific rules must precede the more general ones. For example, a rule for
a single application must precede a rule for all applications if all other
traffic-related settings are the same.
For traffic that doesn’t match any user-defined rules, the default rules apply. The
default rules—displayed at the bottom of the security rulebase—are predefined to
allow all intrazone traffic (within the zone) and deny all interzone traffic
(between zones). Although these rules are part of the predefined configuration and
are read-only by default, you can
Override
them and change a
limited number of settings, including the tags, action (allow or deny), log
settings, and security profiles.After you create a rule, you can track it in your rulebase and view security rule usage to
determine when and how many times traffic matches the Security rule to
determine its effectiveness. As your rulebase evolves, change and audit information
can get lost over time unless you archived this information at the time the rule is
created or modified. You can Enforce Security Rule Description, Tag, and Audit Comment to ensure that all administrators enter audit
comments so that you can view the audit comment archive and review comments and
configuration log history and can compare rule configuration versions for a selected
rule. Together, you now have more visibility into and control over the rulebase.
Cloud Managed
Learn how to create a security rule.
To ensure that end users authenticate when they try to access your network
resources, authentication is evaluated before Security policy. For details, see
Authentication.
- Add a rule. Select and build your rule by configuring the following rulecomponents. Components marked with an asterisk(*) are mandatory.
- SectionElementDetailsGeneral*NameGive your rule a name the tells other administrators what it does.DescriptionYou can give your rule a detailed description of the rule's intent.Match CriteriaSourceDefine the matching criteria for the source fields in the packet.
- Select a*Zone.
- Specify source IP*Addressesor leave the value set toAny.
- Specify source*Usersor leave the value set toAny. You can selectUsersto enforce policy for individual users or a group of users. If you're using GlobalProtect™ with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined from the HIP that informs your environment about the user's local configuration. The HIP information can be used for granular access control based on the security programs that are running on the host, registry values, and many other checks such as whether the host has antivirus software installed.
If you decide toNegatea region as a source address, ensure that all regions that contain private IP addresses are added to the source address to avoid connectivity loss between those private IP addresses.DestinationDefine the destination zone or destination address for the traffic.- Select a*Zone.
- Specify source IP*Addressesor leave the value set toAny.
If you decide toNegatea region as the destination address, ensure that all regions that contain private IP addresses are added to the destination addresses to avoid connectivity loss between those private IP addresses.As a best practice, use address objects as the destination address to enable access to only specific servers or specific groups of servers especially for commonly exploited services, such as DNS and SMTP. By restricting users to specific destination server addresses, you can prevent data exfiltration and command-and-control traffic from establishing communication through techniques such as DNS tunneling.Application / ServiceSpecify the application that the rule will allow or block. Add theApplicationyou want to safely enable. You can select multiple applications or you can use application groups or application filters. Keep theServiceset toApplication Defaultto ensure that any applications that the rule allows are allowed only on their standard ports. An administrator can also use an existing App-ID signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined in .As a best practice, always use application-based Security policy rules instead of port-based rules and always set the Service to application-default unless you're using a more restrictive list of ports than the standard ports for an application.URL Category / Tenant Restriction(Optional) Specify a URL category as match criteria for the rule. SelectURL CategoryorTenant Restrictionto specify a specific TCP and/or UDP port number, a URL category, a tenant restriction as match criteria in the security rule. If you select a URL category, only web traffic will match the rule and only if the traffic is destined for that specified category.ActionsActionDefine whatActionyou want taken for traffic that matches the rule. See Security Rule Actions for a description of each action. - Configure the log settings.
- By default, the rule is set toLog at Session End. You can disable this setting if you don’t want any logs generated when traffic matches this rule or you can selectLog at Session Startfor more detailed logging.
- Select aLog Forwardingprofile.
As a best practice, don't select the check box toDisable Server Response Inspection(DSRI). Selecting this option prevents the inspection of packets from the server to the client. For the best security posture, both the client-to-server flows and the server-to-client flows must be inspected to detect and prevent threats. - Attach security profiles to scan all allowed traffic for threats.Make sure you create best practice security profiles that help protect your network from both known and unknown threats.In , select aProfile Groupfrom the drop-down to attach to the rule.
- SelectSaveto save the security rule, thenPush Configto your devices.
- Monitor the security rule usage status and determine the effectiveness of the security rule, and optimize if needed.
PAN-OS & Panorama
Learn how to create a security rule.
To ensure that end users authenticate when they try to access your network
resources, authentication is evaluated before Security policy. For details, see
Authentication Policy.
The interface includes components for defining Security rules. Familiarize yourself with them before you get started.
- (Optional) Delete the default Security rule.By default, the firewall includes a security rule named rule1 that allows all traffic from Trust zone to Untrust zone. You can either delete the rule or modify the rule to reflect your zone naming conventions.
- Add a rule.
- Select andAdda new rule.
- In theGeneraltab, enter a descriptiveNamefor the rule.
- Select aRule Type.
- Define the matching criteria for the source fields in the packet.
- In theSourcetab, select aSource Zone.
- Specify aSource IP Addressor leave the value set toany.If you decide toNegatea region as aSource Address, ensure that all regions that contain private IP addresses are added to theSource Addressto avoid connectivity loss between those private IP addresses.
- Specify a SourceUseror leave the value set toany.
- Define the matching criteria for the destination fields in the packet.
- In theDestinationtab, set theDestination Zone.
- Specify aDestination IP Addressor leave the value set toany.If you decide toNegatea region as theDestination Address, ensure that all regions that contain private IP addresses are added to theDestination Addressto avoid connectivity loss between those private IP addresses.As a best practice, use address objects as theDestination Addressto enable access to only specific servers or specific groups of servers especially for commonly exploited services, such as DNS and SMTP. By restricting users to specific destination server addresses, you can prevent data exfiltration and command-and-control traffic from establishing communication through techniques such as DNS tunneling.
- Specify the application that the rule will allow or block.As a best practice, always use application-based security rules instead of port-based rules and always set the Service to application-default unless you're using a more restrictive list of ports than the standard ports for an application.
- In theApplicationstab,AddtheApplicationyou want to safely enable. You can select multiple applications or you can use application groups or application filters.
- In theService/URL Categorytab, keep the service set toapplication-defaultto ensure that any applications that the rule allows are allowed only on their standard ports.
- (Optional) Specify a URL category as match criteria for the rule.In theService/URL Categorytab, select theURL Category.If you select a URL category, only web traffic will match the rule and only if the traffic is destined for that specified category.
- Define what action you want the firewall to take for traffic that matches the rule.
- Configure the log settings.
- By default, the rule is set toLog at Session End. You can disable this setting if you don’t want any logs generated when traffic matches this rule or you can selectLog at Session Startfor more detailed logging.
- Select aLog Forwardingprofile.
As a best practice, don't select the check box toDisable Server Response Inspection(DSRI). Selecting this option prevents the firewall from inspecting packets from the server to the client. For the best security posture, the firewall must inspect both the client-to-server flows and the server-to-client flows to detect and prevent threats. - Attach security profiles to enable the firewall to scan all allowed traffic for threats.Make sure you create best practice security profiles that help protect your network from both known and unknown threats.In theActionstab, selectProfilesfrom theProfile Typedrop-down and then select the individual security profiles to attach to the rule.Alternatively, selectGroupfrom theProfile Typedrop-down and select a securityGroup Profileto attach.
- ClickCommitto save the security rule to the running configuration on the firewall.
- To verify that you have set up your basic Security policies effectively, test whether your security rules are being evaluated and determine which security rule applies to a traffic flow.The output displays the best rule that matches the source and destination IP address specified in the CLI command.For example, to verify the security rule that will be applied for a server in the data center with the IP address 208.90.56.11 when it accesses the Microsoft update server:
- Select , and selectSecurity Policy Matchfrom the Select Test drop-down.
- Enter the Source and Destination IP addresses.
- Enter the Protocol.
- Executethe Security policy match test.
- After waiting long enough to allow traffic to pass through the firewall, View Security Rule Usage to monitor the security rule usage status and determine the effectiveness of the policy rule.