Create a Security Policy Rule
- (Optional) Delete the default Security policy rule.By default, the firewall includes a security rule namedrule1that allows all traffic from Trust zone to Untrust zone. You can either delete the rule or modify the rule to reflect your zone naming conventions.
- Add a rule.
- SelectandPoliciesSecurityAdda new rule.
- In theGeneraltab, enter a descriptiveNamefor the rule.
- Select aRule Type.
- Define the matching criteria for the source fields in the packet.
- In theSourcetab, select aSource Zone.
- Specify aSource IP Addressor leave the value set toany.
- Specify a SourceUseror leave the value set toany.
- Define the matching criteria for the destination fields in the packet.
- In theDestinationtab, set theDestination Zone.
- Specify aDestination IP Addressor leave the value set toany.As a best practice, use address objects as theDestination Addressto enable access to only specific servers or specific groups of servers especially for commonly exploited services, such as DNS and SMTP. By restricting users to specific destination server addresses, you can prevent data exfiltration and command-and-control traffic from establishing communication through techniques such as DNS tunneling.
- Specify the application that the rule will allow or block.As a best practice, always use application-based security policy rules instead of port-based rules and always set the Service to application-default unless you are using a more restrictive list of ports than the standard ports for an application.
- In theApplicationstab,AddtheApplicationyou want to safely enable. You can select multiple applications or you can use application groups or application filters.
- In theService/URL Categorytab, keep the Service set toapplication-defaultto ensure that any applications that the rule allows are allowed only on their standard ports.
- (Optional) Specify a URL category as match criteria for the rule.In theService/URL Categorytab, select theURL Category.If you select a URL category, only web traffic will match the rule and only if the traffic is destined for that specified category.
- Define what action you want the firewall to take for traffic that matches the rule.
- Configure the log settings.
As a best practice, do not select the check box toDisable Server Response Inspection(DSRI). Selecting this option prevents the firewall from inspecting packets from the server to the client. For the best security posture, the firewall must inspect both the client-to-server flows and the server-to-client flows to detect and prevent threats.
- By default, the rule is set toLog at Session End. You can disable this setting if you don’t want any logs generated when traffic matches this rule or you can selectLog at Session Startfor more detailed logging.
- Select aLog Forwardingprofile.
- Attach security profiles to enable the firewall to scan all allowed traffic for threats.In theActionstab, selectProfilesfrom theProfile Typedrop-down and then select the individual security profiles to attach to the rule.Alternatively, selectGroupfrom theProfile Typedrop-down and select a securityGroup Profileto attach.
- ClickCommitto save the policy rule to the running configuration on the firewall.
- To verify that you have set up your basic security policies effectively, test whether your security policy rules are being evaluated and determine which security policy rule applies to a traffic flow.The output displays the best rule that matches the source and destination IP address specified in the CLI command.For example, to verify the policy rule that will be applied for a server in the data center with the IP address 188.8.131.52 when it accesses the Microsoft update server:
- Select, and selectDeviceTroubleshootingSecurity Policy Matchfrom the Select Test drop-down.
- Enter the Source and Destination IP addresses.
- Enter the Protocol.
- Executethe security policy match test.
- After waiting long enough to allow traffic to pass through the firewall, View Policy Rule Usage to monitor the policy rule usage status and determine the effectiveness of the policy rule.
Set Up a Basic Security Policy
Set Up a Basic Security Policy Now that you defined some zones and attached them to interfaces, you are ready to begin creating your Security ...
Use Device Groups to Push Policy Rules
Use Device Groups to Push Policy Rules The third task in Use Case: Configure Firewalls Using Panorama is to create the device groups to manage ...
Security Policy Overview
Security Policy Overview Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules ...
Create Internet-to-Data-Center Decryption Policy Rules
Create rules that decrypt partner, vendor, customer, and other third-party traffic from the internet to the data center so you can inspect the traffic and ...
Use Case: Use URL Categories for Policy Matching
Use Case: Use URL Categories for Policy Matching You can also use URL categories as match criteria in the following policy types: Authentication, Decryption, Security, ...
Create a Decryption Policy Rule
Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category. ...
Enforce Policy on an External Dynamic List
Enforce Policy on an External Dynamic List Block or allow traffic based on IP addresses or URLs in an external dynamic list, or use an ...
Use Case: Control Web Access
Use Case: Control Web Access When using URL filtering to control user website access, there may be instances where granular control is required for a ...
Push a Policy Rule to a Subset of Firewalls
Push a Policy Rule to a Subset of Firewalls A policy target allows you to specify the firewalls in a device group to which to ...