Security Policy Overview
Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones. For example, a rule for a single application must precede a rule for all applications if all other traffic-related settings are the same.
To ensure that end users authenticate when they try to access your network resources, the firewall evaluates Authentication policy before Security policy. For details, see Policies > Authentication.
For traffic that doesn’t match any user-defined rules, the default rules apply. The default rules—displayed at the bottom of the security rulebase—are predefined to allow all intrazone traffic (within the zone) and deny all interzone traffic (between zones). Although these rules are part of the pre-defined configuration and are read-only by default, you can Override them and change a limited number of settings, including the tags, action (allow or deny), log settings, and security profiles.
The interface includes the following tabs for defining Security policy rules.
- General—Select the General tab to configure a name and description for the Security policy rule.
- Source—Select the Source tab to define the source zone or source address from which the traffic originates.
- User—Select the User tab to enforce policy for individual users or a group of users. If you are using GlobalProtect™ with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user's local configuration. The HIP information can be used for granular access control based on the security programs that are running on the host, registry values, and many other checks such as whether the host has antivirus software installed.
- Destination—Select the Destination tab to define the destination zone or destination address for the traffic.
- Application—Select the Application tab to have the policy action occur based on an application or application group. An administrator can also use an existing App-ID™ signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined in ObjectsApplications.
- Service/URL Category—Select the Service/URL Category tab to specify a specific TCP and/or UDP port number or a URL category as match criteria in the policy.
- Action—Select the Action tab to determine the action that will be taken based on traffic that matches the defined policy attributes.
- Usage—Select the Usage tab to view a rule’s usage, including the number of applications seen on a rule, when the last new applications was seen on the rule, hit count data, traffic over the past 30 days, and when the rule was created and last edited.
Policies > Decryption
Policies > Decryption You can configure the firewall to decrypt traffic for visibility, control, and granular security. Decryption policies can apply to Secure Sockets Layer ...
Use Device Groups to Push Policy Rules
Use Device Groups to Push Policy Rules The third task in Use Case: Configure Firewalls Using Panorama is to create the device groups to manage ...
Create a Security Policy Rule
Create a Security Policy Rule ( Optional ) Delete the default Security policy rule. By default, the firewall includes a security rule named rule1 that ...
Set Up a Basic Security Policy
Set Up a Basic Security Policy Now that you defined some zones and attached them to interfaces, you are ready to begin creating your Security ...
Policies > Application Override
Policies > Application Override To change how the firewall classifies network traffic into applications, you can specify application override policies. For example, if you want ...
Policies > QoS
Policies > QoS Add QoS policy rules to define the traffic that receives specific QoS treatment and assign a QoS class for each QoS policy ...
Building Blocks in a Security Policy Rule
Building Blocks in a Security Policy Rule Policies > Security The following section describes each component in a Security policy rule . When you create ...
Use Case: Control Web Access
Use Case: Control Web Access When using URL filtering to control user website access, there may be instances where granular control is required for a ...
Create a Decryption Policy Rule
Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category. ...