Components of a Security Policy Rule
The Security policy rule construct permits a combination
of the required and optional fields as detailed in the following
table:
Required/Optional | Field | Description |
---|---|---|
Required | Name | A label that supports up to 63 characters,
used to identify the rule. |
Rule Type | Specifies whether the rule applies to traffic
within a zone, between zones, or both:
| |
Source Zone | The zone from which the traffic originates. | |
Destination Zone | The zone at which the traffic terminates.
If you use NAT, make sure to always reference the post-NAT zone. | |
Application | The application which you wish to control.
The firewall uses App-ID, the traffic classification technology,
to identify traffic on your network. App-ID provides application
control and visibility in creating security policies that block
unknown applications, while enabling, inspecting, and shaping those
that are allowed. | |
Action | Specifies an Allow or Block action
for the traffic based on the criteria you define in the rule. When
you configure the firewall to block traffic, it either resets the connection
or silently drops packets. To provide a better user experience,
you can configure granular options to block traffic instead of silently
dropping packets, which can cause some applications to break and
appear unresponsive to the user. For more details, see Security
Policy Actions. | |
Optional | Tag | A keyword or phrase that allows you to filter
security rules. This is handy when you have defined many rules and
wish to then review those that are tagged with a keyword such as IT-sanctioned
applications or High-risk applications . |
Description | A text field, up to 1024 characters, used
to describe the rule. | |
Source IP Address | Define host IP or FQDN, subnet, named groups,
or country-based enforcement. If you use NAT, make sure to always refer
to the original IP addresses in the packet (i.e. the pre-NAT IP address). | |
Destination IP Address | The location or destination for the traffic.
If you use NAT, make sure to always refer to the original IP addresses
in the packet (i.e. the pre-NAT IP address). | |
User | The user or group of users for whom the
policy applies. You must have User-ID enabled on the zone. To enable
User-ID, see User-ID
Overview. | |
URL Category | Using the URL Category as match criteria
allows you to customize security profiles (Antivirus, Anti-Spyware,
Vulnerability, File-Blocking, Data Filtering, and DoS) on a per-URL-category
basis. For example, you can prevent.exe file download/upload for
URL categories that represent higher risk while allowing them for
other categories. This functionality also allows you to attach schedules
to specific URL categories (allow social-media websites during lunch
& after-hours), mark certain URL categories with QoS (financial, medical,
and business), and select different log forwarding profiles on a
per-URL-category-basis. Although you can manually configure
URL categories on your firewall, to take advantage of the dynamic
URL categorization updates available on the Palo Alto Networks firewalls,
you must purchase a URL filtering license. To block
or allow traffic based on URL category, you must apply a URL Filtering
profile to the security policy rules. Define the URL Category as
Any and attach a URL Filtering profile to the security policy. See Set Up a Basic Security
Policy for information on using the default profiles in your
security policy and see Control
Access to Web Content for more details. | |
Service | Allows you to select a Layer 4 (TCP or UDP)
port for the application. You can choose any , specify
a port, or use application-default to permit use of
the standards-based port for the application. For example, for applications
with well- known port numbers such as DNS, the application-default option
will match against DNS traffic only on TCP port 53. You can also
add a custom application and define the ports that the application
can use.For inbound allow rules (for example, from untrust
to trust), using application-default prevents applications from running
on unusual ports and protocols. Application-default is the default
option; while the firewall still checks for all applications on
all ports, with this configuration, applications are only allowed
on their standard ports/protocols. | |
Security Profiles | Provide additional protection from threats,
vulnerabilities, and data leaks. Security profiles are only evaluated
for rules that have an allow action. | |
HIP Profile (for GlobalProtect ) | Allows you to identify clients with Host
Information Profile (HIP) and then enforce access privileges. | |
Options | Allow you to define logging for the session,
log forwarding settings, change Quality of Service (QoS) markings
for packets that match the rule, and schedule when (day and time)
the security rule should be in effect. |
Recommended For You
Recommended Videos
Recommended videos not found.