Require that a description, tag or audit comment be entered when creating or editing
a security rule.
A comprehensive set of Securitychecks that are used to evaluate your configuration. Your configuration is
compared against these checks to assess the security posture of your devices and to
generate security alerts automatically when a rule doesn't adhere to best practices.
In addition to the predefined best practice checks, you can create your own custom
checks to cover any special requirements you may have. You can:
Set the severity level for your custom checks to identify the checks that are
the most critical to your deployment.
Create and delete your own custom checks, clone existing checks and edit them to
create new ones, and make special exceptions for checks you don't want applied
to portions of your deployment.
Set the response when a check fails.
Alert (default)—Raises an alert for the failed
check.
Block—Stop potential misconfigurations before
they enter your deployment. Here's what block means for your
deployment depending on how you manage it:
Inline Checks on Cloud Manager—Prevents you from committing
or pushing a noncompliant configuration, but won't prevent
you from saving your configuration locally.
Real-Time Inline Checks on Cloud Manager—Prevents you from
even saving a noncompliant configuration.
Panorama Managed—Prevents you from committing a noncompliant
configuration to Panorama, but won't prevent you from saving
it to the Panorama candidate configuration.
PAN-OS web interface, API, or CLI management—Block has no
enforcement effect on configurations that are not either
Cloud managed or Panorama managed.