Optional Fields

Optional Field
Description
Tag
A keyword or phrase that allows you to filter security rules. This is handy when you have defined many rules and wish to then review those that are tagged with a keyword such as
IT-sanctioned applications
or
High-risk applications
.
Description
A text field, up to 255 characters, used to describe the rule.
Source IP Address
Define host IP or FQDN, subnet, named groups, or country-based enforcement. If you use NAT, make sure to always refer to the original IP addresses in the packet (i.e. the pre-NAT IP address).
Destination IP Address
The location or destination for the traffic. If you use NAT, make sure to always refer to the original IP addresses in the packet (i.e. the pre-NAT IP address).
User
The user or group of users for whom the policy applies. You must have User-ID enabled on the zone. To enable User-ID, see User-ID Overview.
URL Category
Using the URL Category as match criteria allows you to customize security profiles (Antivirus, Anti-Spyware, Vulnerability, File-Blocking, Data Filtering, and DoS) on a per-URL-category basis. For example, you can prevent.exe file download/upload for URL categories that represent higher risk while allowing them for other categories. This functionality also allows you to attach schedules to specific URL categories (allow social-media websites during lunch & after-hours), mark certain URL categories with QoS (financial, medical, and business), and select different log forwarding profiles on a per-URL-category-basis.
Although you can manually configure URL categories on your firewall, to take advantage of the dynamic URL categorization updates available on the Palo Alto Networks firewalls, you must purchase a URL filtering license.
To block or allow traffic based on URL category, you must apply a URL Filtering profile to the security policy rules. Define the URL Category as Any and attach a URL Filtering profile to the security policy. See Set Up a Basic Security Policy for information on using the default profiles in your security policy and see Control Access to Web Content for more details.
Service
Allows you to select a Layer 4 (TCP or UDP) port for the application. You can choose
any
, specify a port, or use
application-default
to permit use of the standards-based port for the application. For example, for applications with well- known port numbers such as DNS, the
application-default
option will match against DNS traffic only on TCP port 53. You can also add a custom application and define the ports that the application can use.
For inbound allow rules (for example, from untrust to trust), using application-default prevents applications from running on unusual ports and protocols. Application-default is the default option; while the firewall still checks for all applications on all ports, with this configuration, applications are only allowed on their standard ports/protocols.
Security Profiles
Provide additional protection from threats, vulnerabilities, and data leaks. Security profiles are only evaluated for rules that have an
allow
action.
HIP Profile
(for GlobalProtect)
Allows you to identify clients with Host Information Profile (HIP) and then enforce access privileges.
Options
Allow you to define logging for the session, log forwarding settings, change Quality of Service (QoS) markings for packets that match the rule, and schedule when (day and time) the security rule should be in effect.

Related Documentation