>
    Set Up a Basic Security Policy
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Perform the Initial Setup and Configuration for NGFWs
    4. Set Up a Basic Security Policy
    Download PDF
    Next-Generation Firewall

    Set Up a Basic Security Policy

    Table of Contents

    Set Up a Basic Security Policy

    Set up a basic security policy to start securing your network.
    Where Can I Use This?What Do I Need?
    • NGFW
    One of these licenses for Strata Cloud Manager managed NGFWs:
    • Strata Cloud Manager Essentials
    • Strata Cloud Manager Pro
    Now that you defined some zones and attached them to interfaces, you are ready to begin creating your Security Policy. The NGFW will not allow any traffic to flow from one zone to another unless there is a Security policy rule that allows it. When a packet enters a NGFW interface, the NGFW matches the attributes in the packet against the Security policy rules to determine whether to block or allow the session based on attributes such as the source and destination security zone, the source and destination IP address, the application, user, and the service. The NGFW evaluates incoming traffic against the Security policy rulebase from left to right and from top to bottom and then takes the action specified in the first Security rule that matches (for example, whether to allow, deny, or drop the packet). This means that you must order the rules in your Security policy rulebase so that more specific rules are at the top of the rulebase and more general rules are at the bottom to ensure that the NGFW is enforcing policy as expected.
    Even though a Security policy rule allows a packet, this does not mean that the traffic is free of threats. To enable the NGFW to scan the traffic that it allows based on a Security policy rule, you must also attach Security Profiles—including URL Filtering, Antivirus, Anti-Spyware, File Blocking, and WildFire Analysis—to each rule (the profiles you can use depend on which subscriptions you purchased). When creating your basic Security policy, use the predefined security profiles to ensure that the traffic you allow into your network is being scanned for threats. You can customize these profiles later as needed for your environment.
    Use the following workflows to set up a very basic Security policy that enables access to the network infrastructure, to data center applications, and to the internet. This enables you to get the NGFW up and running so that you can verify that you have successfully configured the NGFW. However, this initial policy is not comprehensive enough to protect your network. After you verify that you successfully configured the NGFW and integrated it into your network, proceed with creating a best practice internet gateway security policy that safely enables application access while protecting your network from attack.

    Set Up a Basic Security Policy (SCM)

    Set up a basic security profile for Strata Cloud Manager.
    For more information about setting up Security Policy Rules in Strata Cloud Manager, click here.
    1. Add a rule.
      1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyAdd RuleSecurity Rule and select Pre-Rule and build your rule. Components marked with an asterisk(*) are mandatory.
      2. In the General tab, enter a descriptive Name for the rule.
      3. Give a Description for your rule's intent.
      4. Add a Tag to your rules to group them using keywords or phrases.
      5. Limit a security rule to specific times using a Schedule.
    2. Define the matching criteria for the source fields in the packet.
      1. In the Source tab, select a Source Zone.
      2. Specify a Source IP Address or leave the value set to ny.
      3. You can search for specific Usersor User Groups to enforce policy for individual users or a group of users. Specify the match criteria that define which users and user groups.
        • Sub string or partial string search is not supported for performance reasons.
        • Entire string search is possible when delimiters such as space and hyphen is present.
        • When number of users is more than 500 then string search use quotes with exact string
    3. Define the matching criteria for the destination fields in the packet.
      1. In the Destination tab, set the Zone.
      2. Specify a Destination IP Address or leave the value set to any.
    4. Specify the application that the rule will allow or block.
      1. In the Applications tab, Add the Application you want to safely enable. You can select multiple applications or you can use application groups or application filters.
      2. In the Service/URL Category tab, keep the service set to application-default to ensure that any applications that the rule allows are allowed only on their standard ports. An administrator can also use an existing App-ID signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined in ObjectsApplications
    5. (Optional) Specify a URL category as match criteria for the rule.
      Select URL Category or Tenant Restriction to specify a specific TCP and/or UDP port number, a URL category, a tenant restriction as match criteria in the security rule. If you select a URL category, only web traffic will match the rule and only if the traffic is destined for that specified category.
    6. Define what action you want the firewall to take for traffic that matches the rule.
      In the Actions tab, select an Action.
      • Allow
      • Deny
      • Drop
      • Reset Client
      • Reset Server
      • Reset Both Client and Server
    7. Configure the log settings.
      • By default, the rule is set to Log at Session End. You can disable this setting if you don’t want any logs generated when traffic matches this rule or you can select Log at Session Start for more detailed logging.
      • Select a Log Forwarding profile.
    8. Attach security profiles to scan all allowed traffic for threats.
      In ActionsProfile Group, select a Profile Group from the drop-down to attach to the rule.
    9. Select Save to save the security rule, then Push Config to your devices.

    Set Up a Basic Security Policy (PAN-OS)

    Leanr about how to set up a basic security policy in PAN-OS.
    1. (Optional) Delete the default Security policy rule.
      By default, the NGFW includes a Security policy rule named rule1 that allows all traffic from Trust zone to Untrust zone. You can either delete the rule or modify the rule to reflect your zone-naming conventions.
    2. Allow access to your network infrastructure resources.
      1. Select PoliciesSecurity and click Add.
      2. In the General tab, enter a descriptive Name for the rule.
      3. In the Source tab, set the Source Zone to Users.
      4. In the Destination tab, set the Destination Zone to IT Infrastructure.
        As a best practice, use address objects in the Destination Address field to enable access to specific servers or groups of servers only, particularly for services such as DNS and SMTP that are commonly exploited. By restricting users to specific destination server addresses, you can prevent data exfiltration and command and control traffic from establishing communication through techniques such as DNS tunneling.
      5. In the Applications tab, Add the applications that correspond to the network services you want to safely enable. For example, select dns, ntp, ocsp, ping, and smtp.
      6. In the Service/URL Category tab, keep the Service set to application-default.
      7. In the Actions tab, set the Action Setting to Allow.
      8. Set Profile Type to Profiles and select the following security profiles to attach to the policy rule:
        • For Antivirus, select default
        • For Vulnerability Protection, select strict
        • For Anti-Spyware, select strict
        • For URL Filtering, select default
        • For File Blocking, select basic file blocking
        • For WildFire Analysis, select default
      9. Verify that Log at Session End is enabled. Only traffic that matches a Security policy rule will be logged.
      10. Click OK.
    3. Enable access to general internet applications.
      This is a temporary rule that allows you to gather information about the traffic on your network. After you have more insight into which applications your users need to access, you can make informed decisions about which applications to allow and create more granular application-based rules for each user group.
      1. Select PoliciesSecurity and Add a rule.
      2. In the General tab, enter a descriptive Name for the rule.
      3. In the Source tab, set the Source Zone to Users.
      4. In the Destination tab, set the Destination Zone to Internet.
      5. In the Applications tab, Add an Application Filter and enter a Name. To safely enable access to legitimate web-based applications, set the Category in the application filter to general-internet and then click OK. To enable access to encrypted sites, Add the ssl application.
      6. In the Service/URL Category tab, keep the Service set to application-default.
      7. In the Actions tab, set the Action Setting to Allow.
      8. Set Profile Type to Profiles and select the following security profiles to attach to the policy rule:
        • For Antivirus, select default
        • For Vulnerability Protection, select strict
        • For Anti-Spyware, select strict
        • For URL Filtering, select default
        • For File Blocking, select strict file blocking
        • For WildFire Analysis, select default
      9. Verify that Log at Session End is enabled. Only traffic that matches a security rule will be logged.
      10. Click OK.
    4. Enable access to data center applications.
      1. Select PoliciesSecurity and Add a rule.
      2. In the General tab, Enter a descriptive Name for the rule.
      3. In the Source tab, set the Source Zone to Users.
      4. In the Destination tab, set the Destination Zone to Data Center Applications.
      5. In the Applications tab, Add the applications that correspond to the network services you want to safely enable. For example, select activesync, imap, kerberos, ldap, ms-exchange, and ms-lync.
      6. In the Service/URL Category tab, keep the Service set to application-default.
      7. In the Actions tab, set the Action Setting to Allow.
      8. Set Profile Type to Profiles and select the following security profiles to attach to the policy rule:
        • For Antivirus, select default
        • For Vulnerability Protection select strict
        • For Anti-Spyware select strict
        • For URL Filtering select default
        • For File Blocking select basic file blocking
        • For WildFire Analysis select default
      9. Verify that Log at Session End is enabled. Only traffic that matches a security rule will be logged.
      10. Click OK.
    5. Save your policy rules to the running configuration on the NGFW.
      Click Commit.
    6. To verify that you have set up your basic policies effectively, test whether your Security policy rules are being evaluated and determine which Security policy rule applies to a traffic flow.
      For example, to verify the policy rule that will be applied for a client in the user zone with the IP address 10.35.14.150 when it sends a DNS query to the DNS server in the data center:
      1. Select DeviceTroubleshooting and select Security Policy Match (Select Test).
      2. Enter the Source and Destination IP addresses.
      3. Enter the Protocol.
      4. Select dns (Application)
      5. Execute the Security policy match test.

    © 2025 Palo Alto Networks, Inc. All rights reserved.