Security policy protects network assets from threats
and disruptions and aids in optimally allocating network resources
for enhancing productivity and efficiency in business processes.
On the Palo Alto Networks firewall, individual Security policy rules determine
whether to block or allow a session based on traffic attributes
such as the source and destination security zone, the source and
destination IP address, the application, user, and the service.
All traffic passing through the firewall is matched against a
session and each session is matched against a Security policy rule.
When a session match occurs, the firewall applies the matching Security
policy rule to bi-directional traffic (client to server and server
to client) in that session. For traffic that doesn’t match any defined
rules, the default rules apply. The default rules—displayed at the
bottom of the security rulebase—are predefined to allow all intrazone
(within the zone) traffic and deny all interzone (between zones)
traffic. Although these rules are part of the pre-defined configuration
and are read-only by default, you can override them and change a limited
number of settings, including the tags, action (allow or block),
log settings, and security profiles.
Security policy rules are evaluated left to right and from top
to bottom. A packet is matched against the first rule that meets
the defined criteria; after a match is triggered the subsequent
rules are not evaluated. Therefore, the more specific rules must
precede more generic ones in order to enforce the best match criteria.
Traffic that matches a rule generates a log entry at the end of
the session in the traffic log, if logging is enabled for that rule.
The logging options are configurable for each rule, and can for
example be configured to log at the start of a session instead of,
or in addition to, logging at the end of a session.