End-of-Life (EoL)
Optional
Fields
Optional Field | Description |
---|---|
Tag | A keyword or phrase that allows you to filter
security rules. This is handy when you have defined many rules and
wish to then review those that are tagged with a keyword such as IT-sanctioned applications or High-risk
applications . |
Description | A text field, up to 255 characters, used
to describe the rule. |
Source IP Address | Define host IP or FQDN, subnet, named groups,
or country-based enforcement. If you use NAT, make sure to always
refer to the original IP addresses in the packet (i.e. the pre-NAT
IP address). |
Destination IP Address | The location or destination for the traffic.
If you use NAT, make sure to always refer to the original IP addresses
in the packet (i.e. the pre-NAT IP address). |
User | The user or group of users for whom the
policy applies. You must have User-ID enabled on the zone. To enable
User-ID, see User-ID Overview. |
URL Category | Using the URL Category as match criteria
allows you to customize security profiles (Antivirus, Anti-Spyware,
Vulnerability, File-Blocking, Data Filtering, and DoS) on a per-URL-category
basis. For example, you can prevent.exe file download/upload for
URL categories that represent higher risk while allowing them for
other categories. This functionality also allows you to attach schedules
to specific URL categories (allow social-media websites during lunch
& after-hours), mark certain URL categories with QoS (financial,
medical, and business), and select different log forwarding profiles
on a per-URL-category-basis. Although you can manually
configure URL categories on your firewall, to take advantage of
the dynamic URL categorization updates available on the Palo Alto
Networks firewalls, you must purchase a URL filtering license. To
block or allow traffic based on URL category, you must apply a URL
Filtering profile to the security policy rules. Define the URL Category
as Any and attach a URL Filtering profile to the security policy.
See Set Up a Basic Security Policy for
information on using the default profiles in your security policy
and see Control Access to Web Content for
more details. |
Service | Allows you to select a Layer 4 (TCP or UDP)
port for the application. You can choose any , specify
a port, or use application-default to permit use of
the standards-based port for the application. For example, for applications
with well- known port numbers such as DNS, the application-default option
will match against DNS traffic only on TCP port 53. You can also
add a custom application and define the ports that the application can
use.For inbound allow rules (for example, from untrust
to trust), using application-default prevents applications from
running on unusual ports and protocols. Application-default is the
default option; while the firewall still checks for all applications
on all ports, with this configuration, applications are only allowed
on their standard ports/protocols. |
Security Profiles | Provide additional protection from threats,
vulnerabilities, and data leaks. Security profiles are only evaluated
for rules that have an allow action. |
HIP Profile (for
GlobalProtect) | Allows you to identify clients with Host
Information Profile (HIP) and then enforce access privileges. |
Options | Allow you to define logging for the session,
log forwarding settings, change Quality of Service (QoS) markings
for packets that match the rule, and schedule when (day and time)
the security rule should be in effect. |
Recommended For You
Recommended Videos
Recommended videos not found.