Building Blocks of Security Zones
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Building Blocks of Security Zones
To define a security zone, click Add and
specify the following information.
Security Zone Settings | Description |
|---|---|
Name | Enter a zone name (up to 31 characters).
This name appears in the list of zones when defining security policies
and configuring interfaces. The name is case-sensitive and must
be unique within the virtual router. Use only letters, numbers,
spaces, hyphens, periods, and underscores. |
Location | This field is present only if the firewall
supports multiple virtual systems (vsys) and that capability is
enabled. Select the vsys to which this zone applies. |
Type | Select a zone type (Tap, Virtual
Wire, Layer2, Layer3, External,
or Tunnel) to view all the Interfaces of
that type that have not been assigned to a zone. The Layer 2 and
Layer 3 zone types list all Ethernet interfaces and subinterfaces
of that type. Add the interfaces that you
want to assign to the zone. The External zone is used to control traffic between multiple virtual systems on a single
firewall. It displays only on firewalls that support multiple
virtual systems and only if the Multi Virtual System
Capability is enabled. For information on external
zones see Inter-VSYS Traffic That Remains
Within the Firewall. An
interface can belong to only one zone in one virtual system. |
Interfaces | Add one or more interfaces to this zone. |
Zone Protection Profiles | Select a profile that specifies how the
firewall responds to attacks from this zone. To create a new profile,
see Network
> Network Profiles > Zone Protection. The best practice is
to defend each zone with Zone Protection profile. |
Enable Packet Buffer Protection | Configure Packet Buffer Protection (Device
> Setup > Session) globally and apply it to each zone. The
firewall applies Packet Buffer Protection to the ingress zone only.
Packet Buffer Protection based on buffer utilization percentage
is enabled by default. An alternative is to configure Packet Buffer
Protection based on latency. It is a best practice to enable Packet
Buffer Protection on each zone to protect the firewall buffers. |
Enable Net Inspection | Facilitates enablement of L3
& L4 Header Inspection using custom rules for the security
zones associated with the Zone protection profile. The global setting
for L3 & L4 header inspection must also be enabled on the firewall (Device
> Setup > Session). |
Log Setting | Select a Log Forwarding profile for forwarding
zone protection logs to an external system. If you have a
Log Forwarding profile named default, that profile will be automatically
selected for this drop-down when defining a new security zone. You
can override this default setting at any time by continuing to select
a different Log Forwarding profile when setting up a new security
zone. To define or add a new Log Forwarding profile (and to name
a profile default so that this drop-down is populated automatically),
click New (refer to Objects
> Log Forwarding). If you are configuring the
zone in a Panorama template, the Log Setting drop-down
lists only shared Log Forwarding profiles; to specify a non-shared
profile, you must type its name. |
Enable User Identification | If you configured User-ID™ to perform IP
address-to-username mapping (discovery), the best practice is to Enable
User Identification to apply the mapping information
to traffic in this zone. If you disable this option, firewall logs,
reports, and policies will exclude user mapping information for
traffic within the zone. By default, if you select this option,
the firewall applies user mapping information to the traffic of
all subnetworks in the zone. To limit the information to specific
subnetworks within the zone, use the Include List and Exclude List. Enable User-ID on trusted zones only. If
you enable User-ID and client probing on an external untrusted zone
(such as the internet), probes could be sent outside your protected
network, resulting in an information disclosure of the User-ID agent
service account name, domain name, and encrypted password hash,
which could allow an attacker to gain unauthorized access to protected resources. User-ID
performs discovery for the zone only if it falls within the network
range that User-ID monitors. If the zone is outside that range,
the firewall does not apply user mapping information to the zone
traffic even if you select Enable User Identification.
For details, see Include
or Exclude Subnetworks for User Mapping. |
User Identification ACL Include List | By default, if you do not specify subnetworks
in this list, the firewall applies the user mapping information
it discovers to all the traffic of this zone for use in logs, reports,
and policies. To limit the application of user mapping information
to specific subnetworks within the zone, then for each subnetwork
click Add and select an address (or address
group) object or type the IP address range (for example, 10.1.1.1/24).
The exclusion of all other subnetworks is implicit because the Include
List is an allow list, so you do not need to add them
to the Exclude List. Add entries to
the Exclude List only to exclude user mapping
information for a subset of the subnetworks in the Include
List. For example, if you add 10.0.0.0/8 to the Include
List and add 10.2.50.0/22 to the Exclude
List, the firewall includes user mapping information
for all the zone subnetworks of 10.0.0.0/8 except 10.2.50.0/22,
and excludes information for all zone subnetworks outside of 10.0.0.0/8. You
can only include subnetworks that fall within the network range
that User-ID monitors. For details, see Include
or Exclude Subnetworks for User Mapping. |
User Identification ACL Exclude List | To exclude user mapping information for
a subset of the subnetworks in the Include List, Add an
address (or address group) object or type the IP address range for
each subnetwork to exclude. If you add entries to the Exclude List but
not the Include List, the firewall excludes
user mapping information for all subnetworks within the zone, not
just the subnetworks you added. |
|
Pre-NAT Identification
|
You use service connections, also
known as service connection—corporate access nodes (SC-CANs), in
Prisma Access to secure private apps. To limit access to the apps
based on User-ID or Device-ID, you can deploy a Next-Generation
Firewall (NGFW) in the data center or headquarters location where
the private apps are located; then, configure policy rules on the
NGFW based on User-ID mapping, Device-ID mapping, or both.
To use these rules, the NGFW must receive the User- or Device-ID
mapping from the SC-CAN; however, if users are connecting to Prisma
Access using GlobalProtect and the SC-CAN has Data
Traffic source NAT enabled, the NGFW can't obtain
this mapping. If Data Traffic source NAT is
enabled on the SC-CAN, it performs NAT on the Mobile User IP address
pool and does not advertise those IP addresses in the data center or
headquarters location. In this case, the NGFW can't retrieve the
GlobalProtect users' User- or Device-ID, which means that you can't
enforce policy based on User- or Device-ID.
To make sure that your network distributes the User- or Device-ID
mapping to the headquarters or data center, select one or more of
the following parameters on the NGFW, which allows the NGFW to
enforce security policy rules based on the User-ID mapping it learns
from GlobalProtect.
|