A policy object is a single object or a collective unit that groups discrete identities such as IP addresses, URLs, applications, or users. With policy objects that are a collective unit, you can reference the object in security policy instead of manually selecting multiple objects one at a time. Typically, when creating a policy object, you group objects that require similar permissions in policy. For example, if your organization uses a set of server IP addresses for authenticating users, you can group the set of server IP addresses as an address group policy object and reference the address group in the security policy. By grouping objects, you can significantly reduce the administrative overhead in creating policies.
If you need to export specific parts of the configuration for internal review or audit, you can Export Configuration Table Data as a PDF or CSV file.
You can create the following policy objects on the firewall:
Address/Address Group, Region
Allow you to group specific source or destination addresses that require the same policy enforcement. The address object can include an IPv4 or IPv6 address (single IP, range, subnet), an IP wildcard address (IPv4 address/wildcard mask) or the FQDN. Alternatively, a region can be defined by the latitude and longitude coordinates or you can select a country and define an IP address or IP range. You can then group a collection of address objects to create an address group object.
You can also use dynamic address groups to dynamically update IP addresses in environments where host IP addresses change frequently.
The predefined External Dynamic Lists (EDLs) on the firewall count toward the maximum number of address objects that a firewall model supports.
Allow you to create a list of users from the local database or an external database and group them.
Application Group and Application Filter
An Application Filter allows you to filter applications dynamically. It allows you to filter, and save a group of applications using the attributes defined in the application database on the firewall. For example, you can Create an Application Filter by one or more attributes—category, sub-category, technology, risk, characteristics. With an application filter, when a content update occurs, any new applications that match your filter criteria are automatically added to your saved application filter.
An Application Group allows you to create a static group of specific applications that you want to group together for a group of users or for a particular service, or to achieve a particular policy goal. See Create an Application Group.
Allows you to specify the source and destination ports and protocol that a service can use. The firewall includes two pre-defined services—service-http and service-https— that use TCP ports 80 and 8080 for HTTP, and TCP port 443 for HTTPS. You can however, create any custom service on any TCP/UDP port of your choice to restrict application usage to specific ports on your network (in other words, you can define the default port for the application).
To view the standard ports used by an application, in ObjectsApplications search for the application and click the link. A succinct description displays.
Use Application Objects in Policy
Use Application Objects in Policy Create an Application Group Create an Application Filter Create a Custom Application ...
Map Applications to Business Goals for a Simplified Rulebas...
Map Applications to Business Goals for a Simplified Rulebase As you inventory the applications on your network, consider your business goals and acceptable use policies ...
Actions Supported on Applications
Actions Supported on Applications You can perform any of the following actions on this page: Actions Supported for Applications Description Filter by application To search ...
Building Blocks in a Security Policy Rule
Building Blocks in a Security Policy Rule Policies > Security The following section describes each component in a Security policy rule . When you create ...
Policies > QoS
Policies > QoS Add QoS policy rules to define the traffic that receives specific QoS treatment and assign a QoS class for each QoS policy ...
Use Case: Monitor Applications Using Panorama
Use Case: Monitor Applications Using Panorama This example takes you through the process of assessing the efficiency of your current policies and determining where you ...
Policies > Application Override
Policies > Application Override To change how the firewall classifies network traffic into applications, you can specify application override policies. For example, if you want ...
Components of a Security Policy Rule
Components of a Security Policy Rule The Security policy rule construct permits a combination of the required and optional fields as detailed in the following ...
Create a Custom Application
Create a Custom Application To safely enable applications you must classify all traffic, across all ports, all the time. With App-ID, the only applications that ...