Prisma SD-WAN
Add a Security Policy Stack
Table of Contents
Add a Security Policy Stack
Learn about security policy stacks in Prisma SD-WAN.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Security Policy Stack Types
You can create a simple security policy stack or an advanced security policy stack.
Simple Stack
- Use when you have straightforward security requirements (fewer than 50 rules).
- The system applies exactly one policy set.
- This option fits small branch offices or environments that require consistent security across all sites.
Advanced Stack
- Use when you need layered security (for example, guest access, corporate access, and servers).
- The system evaluates up to four policy sets from left to right.
- This option fits complex environments with multiple security zones and some common and some varying policy rules across sites.
Policy Set Evaluation
There is a Default Policy Set which has default rules for public and private traffic,
if none of the rules in the 4 user-defined Policy Sets are matched.
When traffic arrives, the ION device evaluates policy sets from left to right, and
policy rules top to bottom within a policy set. The device stops evaluation after it
finds the first matching rule.
Best Practice
Organize policy sets from most specific to most general.
An example scenario is, you can group unique or rules specific to some
sites in Policy Set-1 and Set-2. You can group common rules in Policy Set 3 or Set-4
and re-use for the Policy Stacks for multiple sites.
Another example of grouping the Policy Sets is shown below:
- Policy Set 1: Define rules for time-sensitive or high-priority applications (for example, voice and video).
- Policy Set 2: Define rules for standard business applications.
- Policy Set 3: Define rules for general access.
- Policy Set 4: Define exception and deny rules.
- Add a simple security policy stack.
- Select .On the Add Security Stack screen, enter a Name for the stack, and an optional description and tags.(Optional) Select the Clone From Simple Security Stack check box to clone a stack and select a stack to clone from the Choose a Simple Security Stack.Save your changes.Add an advanced security policy stack.
- Select .On the newly added row in the Name column, click the ellipsis menu for the stack and select Edit Policy Set Stack Info.Enter a Name for the stack, and optionally enter description and tags and Save.
Bind Security Stacks to Sites
In order for stacked security policy rules to be active, bind security policy set stacks to a site. You can bind a single security policy set stack to a site at a time.- Select .For a site, select a security stack from the Security Policy Set Stack list and Save.(Optional) You can assign a security policy set stack to multiple sites at a time by selecting multiple sites, and selecting the security stack for assigning to sites.After you bind a security stack to a site, the ION device loads the policy. This process typically takes 1-2 seconds. Existing connections continue without interruption.
