Components of a Security Policy Rule
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Components of a Security Policy Rule
The Security policy rule construct permits a combination
of the required and optional fields as detailed in the following
table:
Required/Optional | Field | Description |
---|---|---|
Required | Name | A label (up to 63 characters) that identifies
the rule. |
UUID | The Universally Unique Identifier (UUID)
is a distinct 32-character string that permanently identifies rules
so that you can track a rule regardless of any changes to it, such
as the name. | |
Rule Type | Specifies whether the rule applies to traffic
within a zone, between zones, or both:
| |
Source Zone | The zone from which the traffic originates. | |
Destination Zone | The zone at which the traffic terminates.
If you use NAT, make sure to always reference the post-NAT zone. | |
Application | The application that you wish to control.
The firewall uses App-ID, the traffic classification technology,
to identify traffic on your network. App-ID provides application
control and visibility in creating security policies that block
unknown applications, while enabling, inspecting, and shaping those
that are allowed. | |
Action | Specifies an Allow or Deny action
for the traffic based on the criteria you define in the rule. When
you configure the firewall to deny traffic, it either resets the connection
or silently drops packets. To provide a better user experience,
you can configure granular options to deny traffic instead of silently
dropping packets, which can cause some applications to break and
appear unresponsive to the user. For more details, see Security
Policy Actions. | |
Optional | Tag | A keyword or phrase that allows you to filter
security rules. This is handy when you have defined many rules and
wish to then review those that are tagged with a keyword such as IT-sanctioned
applications or High-risk applications. |
Description | A text field, up to 1024 characters, used
to describe the rule. | |
Source Address | Define host IP addresses, subnets, address objects (of
type IP netmask, IP range, FQDN, or IP wildcard mask), address groups,
or country-based enforcement. If you use NAT, make sure to always
refer to the original IP addresses in the packet (i.e. the pre-NAT
IP address). | |
Destination Address | The location or destination for the packet.
Define IP addresses, subnets, address objects (of
type IP netmask, IP range, FQDN, or IP wildcard mask), address groups,
or country-based enforcement. If you use NAT, make sure to always refer
to the original IP addresses in the packet (i.e. the pre-NAT IP address). | |
User | The user or group of users for whom the
policy applies. You must have User-ID enabled on the zone. To enable
User-ID, see User-ID
Overview. | |
URL Category | Using the URL Category as match criteria
allows you to customize security profiles (Antivirus, Anti-Spyware,
Vulnerability, File-Blocking, Data Filtering, and DoS) on a per-URL-category
basis. For example, you can prevent.exe file download/upload for
URL categories that represent higher risk while allowing them for
other categories. This functionality also allows you to attach schedules
to specific URL categories (allow social-media websites during lunch
& after-hours), mark certain URL categories with QoS (financial, medical,
and business), and select different log forwarding profiles on a
per-URL-category-basis. Although you can manually configure
URL categories on your firewall, to take advantage of the dynamic
URL categorization updates available on Palo Alto Networks firewalls,
you must purchase a URL filtering license. To block
or allow traffic based on URL category, you must apply a URL Filtering
profile to the security policy rules. Define the URL Category as
Any and attach a URL Filtering profile to the security policy. See Set Up a Basic Security
Policy for information on using the default profiles in your
security policy. | |
Service | Allows you to select a Layer 4 (TCP or UDP)
port for the application. You can choose any, specify
a port, or use application-default to permit use of
the standards-based port for the application. For example, for applications
with well-known port numbers such as DNS, the application-default option
will match against DNS traffic only on TCP port 53. You can also
add a custom application and define the ports that the application
can use. For inbound allow rules (for example, from untrust
to trust), using application-default prevents applications from running
on unusual ports and protocols. Application-default is the default
option; while the firewall still checks for all applications on
all ports, with this configuration, applications are only allowed
on their standard ports/protocols. | |
Security Profiles | Provide additional protection from threats,
vulnerabilities, and data leaks. Security profiles are evaluated
only for rules that have an allow action. | |
HIP Profile (for GlobalProtect) | Allows you to identify clients with Host
Information Profile (HIP) and then enforce access privileges. | |
Options | Allow you to define logging for the session,
log forwarding settings, change Quality of Service (QoS) markings
for packets that match the rule, and schedule when (day and time)
the security rule should be in effect. |