1. Home
    2. PAN-OS
    3. PAN-OS Administrator's Guide
    4. Policy
    5. Security Policy
    6. Create a Security Policy Rule
    End-of-Life (EoL)

    Create a Security Policy Rule

    1. (Optional) Delete the default Security policy rule.
      By default, the firewall includes a security rule named
      rule1
       that allows all traffic from Trust zone to Untrust zone. You can either delete the rule or modify the rule to reflect your zone naming conventions.
    2. Add a rule.
      1. Select
        Policies
        Security
         and click
        Add
        .
      2. Enter a descriptive
        Name
         for the rule in the
        General
         tab.
      3. Select a
        Rule Type
        .
    3. Define the matching criteria for the source fields in the packet.
      1. In the
        Source
         tab, select a
        Source Zone
        .
      2. Specify a
        Source IP Address
         or leave the value set to
        any
        .
      3. Specify a Source
        User
         or leave the value set to
        any
        .
    4. Define the matching criteria for the destination fields in the packet.
      1. In the
        Destination
         tab, set the
        Destination Zone
        .
      2. Specify a
        Destination IP Address
         or leave the value set to
        any
        .
        As a best practice, consider using address objects in the
        Destination Address
         field to enable access to specific servers or groups of servers only, particularly for services such as DNS and SMTP that are commonly exploited. By restricting users to specific destination server addresses you can prevent data exfiltration and command and control traffic from establishing communication through techniques such as DNS tunneling.
    5. Specify the application the rule will allow or block.
      As a best practice, always use application-based security policy rules instead of port based rules and always set the Service to application-default unless you are using a more restrictive list of ports than the standard ports for an application.
      1. In the
        Applications
         tab,
        Add
         the
        Application
         to safely enable. You can select multiple applications, or use application groups or application filters.
      2. In the
        Service/URL Category
         tab, keep the Service set to
        application-default
         to ensure that any applications the rule allows are only allowed on their standard ports.
    6. (Optional) Specify a URL category as match criteria for the rule.
      In the
      Service/URL Category
       tab, select the
      URL Category
      .
      If you select a URL category, only web traffic will match the rule and only if the traffic is to the specified category.
    7. Define what action you want the firewall to take for traffic that matches the rule.
      In the
      Actions
       tab, select an
      Action
      . See Security Policy Actions for a description of each action.
    8. Configure the log settings.
      • By default, the rule is set to
        Log at Session End
        . You can clear this setting if you don’t want any logs generated when traffic matches this rule, or select
        Log at Session Start
         for more detailed logging.
      • Select a
        Log Forwarding
         profile.
    9. Attach security profiles to enable the firewall to scan all allowed traffic for threats.
      See Create Best Practice Security Profiles to learn how to create security profiles that protect your network from both known and unknown threats.
      In the
      Actions
       tab, select
      Profiles
       from the
      Profile Type
       drop-down and then select the individual security profiles to attach to the rule.
      Alternatively, select
      Group
       from the
      Profile Type
       drop-down and select a security
      Group Profile
       to attach.
    10. Save the policy rule to the running configuration on the firewall.
      Click
      Commit
      .
    11. To verify that you have set up your basic policies effectively, test whether your security policy rules are being evaluated and determine which security policy rule applies to a traffic flow.
      To verify the policy rule that matches a flow, use the following CLI command:
      test security-policy-match source <IP_address> destination <IP_address> destination port <port_number> protocol <protocol_number>
      The output displays the best rule that matches the source and destination IP address specified in the CLI command.
      For example, to verify the policy rule that will be applied for a server in the data center with the IP address 208.90.56.11 when it accesses the Microsoft update server:
      test security-policy-match source 208.80.56.11 destination 176.9.45.70 destination-port 80 protocol 6
�
"Updates-DC to Internet" {
        from data_center_applications;
        source any;
        source-region any;
        to untrust;
        destination any;
        destination-region any;
        user any;
        category any;
application/service[dns/tcp/any/53 dns/udp/any/53 dns/udp/any/5353 ms-update/tcp/any/80 ms-update/tcp/any/443];
action allow;
        terminal yes;

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo