Policy Objects
Create Prisma Access objects for use in your policy configurations.
Prisma Access objects are policy building
blocks. Use them to define and group entities, settings, or preferences.
You can then easily reference and reuse the objects in policy. When
you update an object definition (or if it is updated dynamically,
which might be true for certain objects), the policy rules referencing
that object automatically enforce your latest changes. Here are
the objects available to you as Prisma Access policy building blocks.
When used together, some objects can help
you to automate policy action: auto-tags, dynamic user groups, and
dynamic address groups.
Object | Description |
|---|---|
Addresses, Address Groups (including DAGs), Regions | Allows you to group specific source or destination
addresses that require the same policy enforcement. Address objects
can include IPv4 and IPv6 address (single IP, range, subnet), or
FQDN. Alternatively, you may define a region by the latitude and
longitude coordinates or you can select a country and define an
IP address or range. You can then group a collection of address
objects to create an address group object. |
Applications, Application Groups, Application Filters | Allows you to define applications and their
risk that are in use by your organization. Additionally, you can
group a collection of applications to create an Application Group
that require the same policy enforcement and simplifies administration
of your rulebase by allowing you to update only the affected application
group, rather than multiple policy rules, when there is a change
of applications you support. Create an Application Filter
to dynamically group applications based on application attributes
that you define. This is useful when you want to safely enable access
to applications that you do not explicitly sanction, but want users
to be able to access. |
Services, Service Groups | Allows you to specify the source and destination
ports and protocols that a service can use. You also create a custom
service on any TCP/UDP port of your choice to restrict application
usage to specific ports on your network. After you have created
your service objects, you can then group a collection of services
to create a Service Group that require the same policy enforcement. |
Dynamic User Groups (DUGs) | Create dynamic user groups are groups where
membership is based on tags. This means that the group membership
is based on an attribute or activity that the tag identifies, and
members are included in the group only when they meet that criteria.
A dynamic user group that is based on an auto-tag includes users
or IP addresses that are associated with a certain log type of log
activity (specified by you when you set up the auto-tag). This means
you can specify your security requirements based on the activity
you want to limit or block, instead of the entity (user or IP address).
And you don’t need to manually update policy or groups to respond
to a threat. |
Tags | Tag policies and objects to group related
items and add colors to visually distinguish them from other configured
policies and objects for easy scanning. You can tag all Prisma Access
policies, as well as address objects, address groups, service objects,
and service groups. You can apply one or more tags to any policy
rule or object, with up to a maximum of 64 tags. Prisma Access supports
up to 10,000 tags. |
Auto-Tags | Prisma Access can automatically tag the
users or IP addresses associated with a log entry. When you use
auto-tags to build policy, you can automatically enforce users and
IP addresses based on behavior and activity. You don’t need to manually
and retroactively adjust policy or groups. To get started, set up
an auto-tag and then use it to populate a dynamic address group
or a dynamic user group. Then, add the dynamic user group to a policy
rule. |
HIP Objects, HIP Profiles | Allows you to define objects for the host
information profile (HIP) to provide matching criteria for filtering
the raw data which gives information about how the device is maintained.
This information includes whether data is encrypted, if antivirus
signatures are up to date, if the device is jailbroken and more.
You can use the device state information to enforce policy. After
you have created your HIP objects, you can then group a collection
of HIP objects to create a HIP Profile to be evaluated together
for monitoring or for policy enforcement. |
External Dynamic Lists | Allows you to define an imported list of
IP addresses, URLs, or domain names that you can use in policy rules
to block or allow traffic. |
URL Category | Allows you to create a custom URL category
object to use in a URL Filtering profile to specify exceptions to
URL category enforcement, and to create a custom URL category based
on multiple URL categories. |
Certificates | Centrally manage the certificates you use
to secure communication across your network. In one place, set up
your certificates, add certificate authorities (Prisma Access includes
preloaded certificates for well-known CAs), add OCSP responders,
and define certificate checks you want to require. The certificates
and settings you set up here can be used throughout your Prisma
Access deployment to secure features like decryption, your authentication
portal, and the GlobalProtect app. |
Profile Groups | Security profiles scan traffic for threats,
and a profile group is a collection of each type of profile. To
enable security profile scanning, you must build a profile group,
and attach the group to a security rule. Prisma Access provides predefined
security profiles that you can use to a build a profile group. The
best practice profiles use strict security settings that Palo Alto
Networks recommends. Some profile types also include additional rules,
besides the best practice rules. You can optionally use these less strict
profiles to scan—for example—applications that are not business-critical
or that you allow for personal use, while continuing to use the
strict best practice rules to enforce your most sensitive enterprise applications.
Review all built-in, security
profile settings. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
