The Palo Alto Networks next-generation firewall supports
a variety of policy types that work together to safely enable applications
on your network.
It is important to understand that the set of IPv4 addresses
is treated as a subset of the set of IPv6 addresses, as described
in detail in Policy.
For all policy types, when you Enforce Policy Rule Description, Tag, and Audit Comment, you can use
the audit comment archive to view how a policy rule changed over
time. The archive, which includes the audit comment history and
the configuration logs, enables you to compare configuration versions
and review who created or modified and why.
Determine whether to block or allow a session
based on traffic attributes such as the source and destination security
zone, the source and destination IP address, the application, user,
and the service. For more details, see Security
Instruct the firewall which packets need
translation and how to do the translation. The firewall supports
both source address and/or port translation and destination address
and/or port translation. For more details, see NAT.
Identify traffic requiring QoS treatment
(either preferential treatment or bandwidth-limiting) using a defined
parameter or multiple parameters and assign it a class. For more
details, see Quality
Policy Based Forwarding
Identify traffic that should use a different
egress interface than the one that would normally be used based
on the routing table. For more details, see Policy-Based
Identify encrypted traffic that you want
to inspect for visibility, control, and granular security. For more
details, see Decryption.
Identify sessions that you want to bypass
App-ID layer 7 processing and threat inspection. Traffic that matches
an application override policy forces the firewall to handle the
session as a stateful inspection firewall at layer 4. Only use Application
Override when you must and in the most highly trusted environments where
you can apply the principle of least privilege strictly. For more
details, see Application Override.