Security policy protects network assets from threats
and disruptions and helps to optimally allocate network resources
for enhancing productivity and efficiency in business processes.
On a Palo Alto Networks firewall, individual Security policy rules determine
whether to block or allow a session based on traffic attributes,
such as the source and destination security zone, the source and
destination IP address, the application, the user, and the service.
To ensure that end users authenticate when they try to
access your network resources, the firewall evaluates Authentication
Policy before Security policy.
All traffic passing through the firewall is matched against a
session and each session is matched against a Security policy rule.
When a session match occurs, the firewall applies the matching Security
policy rule to bidirectional traffic in that session (client to
server and server to client). For traffic that doesn’t match any
defined rules, the default rules apply. The default rules—displayed
at the bottom of the security rulebase—are predefined to allow all
intrazone traffic (within a zone) and deny all interzone traffic
(between zones). Although these rules are part of the predefined configuration
and are read-only by default, you can override them and change a limited
number of settings, including the tags, action (allow or block),
log settings, and security profiles.
Security policy rules are evaluated left to right and from top
to bottom. A packet is matched against the first rule that meets
the defined criteria and, after a match is triggered, subsequent
rules are not evaluated. Therefore, the more specific rules must
precede more generic ones in order to enforce the best match criteria.
Traffic that matches a rule generates a log entry at the end of
the session in the traffic log if you enable logging for that rule.
The logging options are configurable for each rule and can, for
example, be configured to log at the start of a session instead
of, or in addition to, logging at the end of a session.
After an administrator configures a rule, you can View Policy Rule Usage to
determine when and how many times traffic matches the Security policy
rule to determine its effectiveness. As your rulebase evolves, change
and audit information get lost over time unless you archived this
information at the time the rule is created or modified. You can Enforce Policy Rule Description, Tag, and Audit Comment to ensure
that all administrators enter audit comments so that you can view
the audit comment archive and review comments and configuration
log history and can compare rule configuration versions for a selected
rule. Together, you now have more visibility into and control over