Creating and Managing Policies
Select the PoliciesSecurity page to add, modify, and manage security policies:
To add a new policy rule, do one of the following:
To modify a rule, click the rule.
If the rule is pushed from Panorama, the rule is read-only on the firewall and cannot be edited locally.
Override and Revert actions pertain only to the default rules that are displayed at the bottom of the Security rulebase. These predefined rules—allow all intrazone traffic and deny all interzone traffic—instruct the firewall on how to handle traffic that does not match any other rule in the rulebase. Because they are part of the predefined configuration, you must Override them in order to edit select policy settings. If you are using Panorama, you can also Override the default rules and then push them to firewalls in a Device Group or Shared context. You can also Revert the default rules, which restores the predefined settings or the settings pushed from Panorama. For details, see Overriding or Reverting a Security Policy Rule.
Rules are evaluated from the top down and as they are enumerated on the Policies page. To change the order in which the rules are evaluated against network traffic, select a rule and click Move Up, Move Down, Move Top, or Move Bottom. For details, see Move or Clone a Policy Rule.
Select a rule and Delete the existing rule.
To disable a rule, select the rule and Disable it; to enable a rule that is disabled, select the rule and Enable it.
Monitor Rule Usage
To identify rules that have not been used since the last time the firewall was restarted, Highlight Unused Rules. You can then decide whether to disable a rule or delete it. Rules not currently in use are displayed with a dotted yellow background. When policy rule hit count is enabled, the Hit Count data is used to determine if a rule is unused.
Each firewall maintains a traffic flag for the rules that have a match. Because the flag is reset when a dataplane reset occurs on a reboot or a restart, monitor this list periodically to determine whether the rule has had a match since the last check before you delete or disable it.
Reset rule Hit count
The Hit Count is used to track the total traffic hits for the policy rule. The total traffic hit count persists through reboot, upgrade and data plane restart. To reset the hit count for a specific rule, expand the drop-down and Reset the counter.
Alternatively, you can Reset Rule Hit Counter using the bottom menu. To clear the hit count statistics, you can select All Rules or you can select specific rules and reset hit count statistics only for the Selected rules.
View the First Hit to identify when the security policy was first hit. The date is formated as date hh:mm:ss year. This cannot be reset.
View the Last Hit to identify when the security policy was last used. The date is formated as date hh:mm:ss year. This cannot be reset.
To show or hide the columns that display in the Policies pages, select this option next to the column name to toggle the display of each column.
To apply a filter to the list, select from the Filter Rules drop-down. To add a value to define a filter, click the drop-down for the item and choose Filter.
The default rules are not part of rulebase filtering and always show up in the list of filtered rules.
To view the network sessions that were logged as matches against the policy, click the drop-down for the rule name and choose Log Viewer.
To display the current value, click the drop-down for an entry and choose Value. You can also edit, filter, or remove certain items directly from the column menu. For example, to view addresses included in an address group, hold your mouse over the object in the Address column, click the drop-down and select Value. This allows you to quickly view the members and the corresponding IP addresses for the address group without having to navigate to the Object tab.
To find objects used within a policy based on their name or IP address, use the filter option. After you apply the filter, you will see only the items that match the filter. The filter also works with embedded objects. For example, when you filter on 10.1.4.8, only the policy that contains that address is displayed:
Preview rules (Panorama only)
Preview Rules to view a list of the rules before you push the rules to the managed firewalls. Within each rulebase, the hierarchy of rules is visually demarcated for each device group (and managed firewall) to make it easier to scan through a large numbers of rules.
Export Configuration Table
Administrative roles with a minimum of read-only access can export the policy rulebase as PDF/CSV. You can apply filters to create more specific table configuration outputs for things such as audits. Only visible columns in the web interface will be exported. See Configuration Table Export.
Rule Usage Tracking
Rule usage tracking helps you monitor rule usage on Panorama and firewalls to validate rules and keep your rule base organized. ...
View Policy Rule Usage
View the policy rule hit count data of managed firewalls to monitor rule usage in order to validate rules and keep your rule base organized. ...
Monitor Policy Rule Usage
How to view rule usage for policy rules pushed to a device group from Panorama. ...
Manage the Rule Hierarchy
Manage the Rule Hierarchy The order of policy rules is critical for the security of your network. Within any policy layer (shared, device group, or ...
Defining Policies on Panorama
Defining Policies on Panorama Device Groups on Panorama™ allow you to centrally manage firewall policies. You create policies on Panorama either as Pre Rules or ...
Create and Manage Authentication Policy
Create and Manage Authentication Policy Select the Policies Authentication page to create and manage Authentication policy rules: Task Description Add Perform the following prerequisites before ...
Move or Clone a Policy Rule or Object to a Different Virtua...
Move or Clone a Policy Rule or Object to a Different Virtual System On a firewall that has more than one virtual system (vsys), you ...
Overriding or Reverting a Security Policy Rule
Overriding or Reverting a Security Policy Rule The default security rules—interzone-default and intrazone-default—have predefined settings that you can override on a firewall or on Panorama. ...
Move or Clone a Policy Rule or Object to a Different Device...
Move or Clone a Policy Rule or Object to a Different Device Group On Panorama, if a policy rule or object that you will move ...