The Palo Alto Networks next-generation firewall supports
a variety of policy types that work together to safely enable applications
on your network.
Determine whether to block or allow a session
based on traffic attributes such as the source and destination security
zone, the source and destination IP address, the application, user,
and the service. For more details, see Security Policy.
Instruct the firewall which packets need
translation and how to do the translation. The firewall supports
both source address and/or port translation and destination address
and/or port translation. For more details, see NAT.
Identify traffic requiring QoS treatment
(either preferential treatment or bandwidth-limiting) using a defined
parameter or multiple parameters and assign it a class. For more
details, see Quality of Service.
Policy Based Forwarding
Identify traffic that should use a different
egress interface than the one that would normally be used based
on the routing table. For details, see Policy-Based Forwarding.
Identify encrypted traffic that you want
to inspect for visibility, control, and granular security. For more
details, see Decryption.
Identify sessions that you do not want processed
by the App-ID engine, which is a Layer-7 inspection. Traffic matching
an application override policy forces the firewall to handle the session
as a regular stateful inspection firewall at Layer-4. For more details,
see Manage Custom or Unknown Applications.
Identify traffic that requires the user
to be known. The captive portal policy is only triggered if other
User-ID mechanisms did not identify a user to associate with the
source IP address. For more details, see Captive Portal.
Identify potential denial-of-service (DoS)
attacks and take protective action in response to rule matches. For
more details, see DoS Protection Profiles.