Create a Security Policy Rule (Strata Cloud Manager)
Focus
Focus
Network Security

Create a Security Policy Rule (Strata Cloud Manager)

Table of Contents


Create a Security Policy Rule (Strata Cloud Manager)

Learn how to create a security rule.
To ensure that end users authenticate when they try to access your network resources, authentication is evaluated before Security policy. For details, see Authentication.
  1. Add a rule. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyAdd Rule and build your rule by configuring the following rulecomponents. Components marked with an asterisk(*) are mandatory.
  2. SectionElementDetails
    General*NameGive your rule a name the tells other administrators what it does.
    DescriptionYou can give your rule a detailed description of the rule's intent.
    TagYou can add tags to your rules to group them using keywords or phrases.
    ScheduleYou can limit a security rule to specific times using a schedule.
    Match CriteriaSourceDefine the matching criteria for the source fields in the packet.
    • Select a *Zone.
    • Specify source IP *Addresses or leave the value set to Any.
    • Specify source *Users or leave the value set to Any. You can select Users to enforce policy for individual users or a group of users. If you're using GlobalProtect™ with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined from the HIP that informs your environment about the user's local configuration. The HIP information can be used for granular access control based on the security programs that are running on the host, registry values, and many other checks such as whether the host has antivirus software installed.
    If you decide to Negate a region as a source address, ensure that all regions that contain private IP addresses are added to the source address to avoid connectivity loss between those private IP addresses.
    DestinationDefine the destination zone or destination address for the traffic.
    • Select a *Zone.
    • Specify source IP *Addresses or leave the value set to Any.
    If you decide to Negate a region as the destination address, ensure that all regions that contain private IP addresses are added to the destination addresses to avoid connectivity loss between those private IP addresses.
    As a best practice, use address objects as the destination address to enable access to only specific servers or specific groups of servers especially for commonly exploited services, such as DNS and SMTP. By restricting users to specific destination server addresses, you can prevent data exfiltration and command-and-control traffic from establishing communication through techniques such as DNS tunneling.
    Application / ServiceSpecify the application that the rule will allow or block. Add the Application you want to safely enable. You can select multiple applications or you can use application groups or application filters. Keep the Service set to Application Default to ensure that any applications that the rule allows are allowed only on their standard ports. An administrator can also use an existing App-ID signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined in ObjectsApplications.
    As a best practice, always use application-based Security policy rules instead of port-based rules and always set the Service to application-default unless you're using a more restrictive list of ports than the standard ports for an application.
    URL Category / Tenant Restriction(Optional) Specify a URL category as match criteria for the rule. Select URL Category or Tenant Restriction to specify a specific TCP and/or UDP port number, a URL category, a tenant restriction as match criteria in the security rule. If you select a URL category, only web traffic will match the rule and only if the traffic is destined for that specified category.
    ActionsActionDefine what Action you want taken for traffic that matches the rule. See Security Rule Actions for a description of each action.
  3. Configure the log settings.
    • By default, the rule is set to Log at Session End. You can disable this setting if you don’t want any logs generated when traffic matches this rule or you can select Log at Session Start for more detailed logging.
    • Select a Log Forwarding profile.
    As a best practice, don't select the check box to Disable Server Response Inspection (DSRI). Selecting this option prevents the inspection of packets from the server to the client. For the best security posture, both the client-to-server flows and the server-to-client flows must be inspected to detect and prevent threats.
  4. Attach security profiles to scan all allowed traffic for threats.
    Make sure you create best practice security profiles that help protect your network from both known and unknown threats.
    In ActionsProfile Group, select a Profile Group from the drop-down to attach to the rule.
  5. Select Save to save the security rule, then Push Config to your devices.
  6. Monitor the security rule usage status and determine the effectiveness of the security rule, and optimize if needed.