Building Block in a Security Rule |
Configured In |
Description |
Rule number
|
N/A
|
Each rule is automatically numbered and the order changes as rules are moved. When you filter rules to match specific filter(s), each rule is listed with its number in the context of the complete set of rules in the rulebase and its place in the evaluation order.
In Panorama, pre-rules and post-rules are independently numbered. When rules are pushed from Panorama to a managed firewall, the rule numbering incorporates hierarchy in pre-rules, firewall rules, and post-rules within a rulebase and reflects the rule sequence and its evaluation order.
|
Name
|
General
|
Enter a name to identify the rule. The name is case-sensitive and can have up to 31 characters, which can be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on Panorama, unique within its device group and any ancestor or descendant device groups.
|
Tag
|
Click
Add
to specify the tag for the policy.
A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword. For example, you may want to tag certain rules with specific words like Decrypt and No-decrypt, or use the name of a specific data center for policies associated with that location.
You can also add tags to the default rules.
|
Type
|
Specifies whether the rule applies to traffic within a zone, between zones, or both:
universal
(default)—Applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones. For example, if you create a universal rule with source zones A and B and destination zones A and B, the rule would apply to all traffic within zone A, all traffic within zone B, and all traffic from zone A to zone B and all traffic from zone B to zone A.
intrazone
—Applies the rule to all matching traffic within the specified source zones (you cannot specify a destination zone for intrazone rules). For example, if you set the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B.
interzone
—Applies the rule to all matching traffic between the specified source and destination zones. For example, if you set the source zone to A, B, and C and the destination zone to A and B, the rule would apply to traffic from zone A to zone B, from zone B to zone A, from zone C to zone A, and from zone C to zone B, but not traffic within zones A, B, or C.
|
Source Zone
|
Source
|
Click
Add
to choose source zones (default is
any). Zones must be of the same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to
Network > Zones.
Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases.
|
Source Address
|
Click
Add
to add source addresses, address groups, or regions (default is any). Select from the drop-down, or click
Address,
Address Group, or
Regions
at the bottom of the drop-down, and specify the settings.
|
Source User
|
User
|
Click
Add
to choose the source users or groups of users subject to the policy. The following source user types are supported:
any
—Include any traffic regardless of user data.
pre-logon
—Include remote users that are connected to the network using GlobalProtect, but are not logged into their system. When the Pre-logon option is configured on the Portal for GlobalProtect clients, any user who is not currently logged into their machine will be identified with the username pre-logon. You can then create policies for pre-logon users and although the user is not logged in directly, their machines are authenticated on the domain as if they were fully logged in.
known-user
—Includes all authenticated users, which means any IP with user data mapped. This option is equivalent to the domain users group on a domain.
unknown
—Includes all unauthenticated users, which means IP addresses that are not mapped to a user. For example, you could use
unknown
for guest level access to something because they will have an IP on your network but will not be authenticated to the domain and will not have IP to user mapping information on the firewall.
Select
—Includes selected users as determined by the selection in this window. For example, you may want to add one user, a list of individuals, some groups, or manually add users.
If you are using a RADIUS server and not the User-ID agent, the list of users does not display; you must enter user information manually.
|
Source HIP Profile
|
Click
Add
to choose host information profiles (HIP) to enable you to collect information about the security status of your end hosts, such as whether they have the latest security patches and antivirus definitions installed. Using host information profiles for policy enforcement enables granular security that ensures that the remote hosts accessing your critical resources are adequately maintained and in adherence with your security standards before they are allowed access to your network resources. The following source HIP profiles are supported:
any
—Include any endpoint regardless of HIP information.
select
—Include selected HIP profiles as determined by the selection in this window. For example, you can add one HIP profile, a list of HIP profiles, or manually add a HIP profile.
no-hip
—HIP information is not required. This setting enables access from third-party clients that cannot collect or submit HIP information.
|
Destination Zone
|
Destination
|
Click
Add
to choose destination zones (default is any). Zones must be of the same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to
Network > Zones.
Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases.
On intrazone rules, you cannot define a Destination Zone because these types of rules only match traffic with a source and a destination within the same zone. To specify the zones that match an intrazone rule you only need to set the Source Zone.
|
Destination Address
|
Click
Add
to add destination addresses, address groups, or regions (default is
any). Select from the drop-down, or click
Address
at the bottom of the drop-down, and specify address settings.
|
Application
|
Application
|
Select specific applications for the security rule. If an application has multiple functions, you can select the overall application or individual functions. If you select the overall application, all functions are included and the application definition is automatically updated as future functions are added.
If you are using application groups, filters, or containers in the security rule, you can view details of these objects by holding your mouse over the object in the
Application
column, click the drop-down arrow and select
Value. This allows you to view application members directly from the policy without having to navigate to the
Object
tab.
|
Service
|
Service/URL Category
|
Select services to limit to specific TCP and/or UDP port numbers. Choose one of the following from the drop-down:
any
—The selected applications are allowed or denied on any protocol or port.
application-default
—The selected applications are allowed or denied only on their default ports defined by Palo Alto Networks®. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocol which, if not intentional, can be a sign of undesired application behavior and usage. Note that when you use this option, the firewall still checks for all applications on all ports but, with this configuration, applications are only allowed on their default ports and protocols.
Select
—Click
Add. Choose an existing service or choose
Service
or
Service Group
to specify a new entry. (Or select
Objects > Services
and
Objects > Service Groups).
|
URL Category
|
Select URL categories for the security rule.
Choose
any
to allow or deny all sessions regardless of the URL category.
To specify a category, click
Add
and select a specific category (including a custom category) from the drop-down. You can add multiple categories. Select
Objects > External Dynamic Lists
to define custom categories.
|
Action
|
Actions
|
To specify the action for traffic that matches the attributes defined in a rule, select from the following actions:
Allow
—(default) Allows the traffic.
Deny
—Blocks traffic, and enforces the default
Deny Action
defined for the application that is being denied. To view the deny action defined by default for an application, view the application details in
Objects > Applications.
Because the default deny action varies by application, the firewall could block the session and send a reset for one application, while it could drop the session silently for another application.
Drop
—Silently drops the application. A TCP reset is not sent to the host/application, unless you select
Send ICMP Unreachable.
Reset client
—Sends a TCP reset to the client-side device.
Reset server
—Sends a TCP reset to the server-side device.
Reset both
—Sends a TCP reset to both the client-side and server-side devices.
Send ICMP Unreachable
—Only available for Layer 3 interfaces. When you configure security policy to drop traffic or to reset the connection, the traffic does not reach the destination host. In such cases, for all UDP traffic and for TCP traffic that is dropped, you can enable the firewall to send an ICMP Unreachable response to the source IP address from where the traffic originated. Enabling this setting allows the source to gracefully close or clear the session and prevents applications from breaking.
To view the ICMP Unreachable Packet Rate configured on the firewall, view the Session Settings section in
Device > Setup > Session.
To override the default action defined on the predefined interzone and intrazone rules, see
Overriding or Reverting a Security Policy Rule
|
Profile Setting
|
Actions
|
To specify the checking done by the default security profiles, select individual Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, and/or Data Filtering profiles.
To specify a profile group rather than individual profiles, select
Profile Type Group
and then select a profile group from the
Group Profile
drop-down.
To define new profiles or profile groups, click
New
next to the appropriate profile or group (refer to
Objects > Security Profile Groups).
You can also attach security profiles (or profile groups) to the default rules.
|
Options
|
Actions
|
The
Options
tab includes the logging settings and the
a combination of other options listed below.
To generate entries in the local traffic log for traffic that matches this rule, select the following options:
Log At Session Start
—Generates a traffic log entry for the start of a session (disabled by default).
Log At Session End
—Generates a traffic log entry for the end of a session (enabled by default).
If the session start or end entries are logged, drop and deny entries are also logged.
Log Forwarding Profile
—To forward the local traffic log and threat log entries to remote destinations, such as Panorama and syslog servers, select a log profile from the
Log Forwarding Profile
drop-down.
Note that the generation of threat log entries is determined by the security profiles. To define new log profiles, click
New
(refer to
Objects > Log Forwarding).
You can also modify the log settings on the default rules.
Specify any combination of the following options:
Schedule
—To limit the days and times when the rule is in effect, select a schedule from the drop-down. To define new schedules, click
New
(refer to
Settings to Control Decrypted SSL Traffic).
QoS Marking
—To change the Quality of Service (QoS) setting on packets matching the rule, select IP DSCP or IP Precedence and enter the QoS value in binary or select a predefined value from the drop-down. For more information on QoS, refer to
Quality of Service (QoS)
.
Disable Server Response Inspection
—To disable packet inspection from the server to the client, select this option. This option may be useful under heavy server load conditions.
|
Description
|
General
|
Enter a description for the policy (up to 255 characters).
|