Policy Objects

A policy object is a single object or a collective unit that groups discrete identities such as IP addresses, URLs, applications, or users. With policy objects that are a collective unit, you can reference the object in security policy instead of manually selecting multiple objects one at a time. Typically, when creating a policy object, you group objects that require similar permissions in policy. For example, if your organization uses a set of server IP addresses for authenticating users, you can group the set of server IP addresses as an address group object and reference the address group in the security policy. By grouping objects, you can significantly reduce the administrative overhead in creating policies.
When you update an object definition (or if it is updated dynamically, which might be true for certain objects), the policy rules referencing that object automatically enforce your latest changes.
When used together, some objects can help you to automate policy action: auto-tags, dynamic user groups, and dynamic address groups.
Here are the policy objects available to you with Prisma Access Cloud Management:
Object
Description
Addresses, Address Groups (including DAGs), Regions
Allows you to group specific source or destination addresses that require the same policy enforcement. Address objects can include IPv4 and IPv6 address (single IP, range, subnet), or FQDN. Alternatively, you may define a region by the latitude and longitude coordinates or you can select a country and define an IP address or range. You can then group a collection of address objects to create an address group object.
Applications, Application Groups, Application Filters
Allows you to define applications and their risk that are in use by your organization. Additionally, you can group a collection of applications to create an Application Group that require the same policy enforcement and simplifies administration of your rulebase by allowing you to update only the affected application group, rather than multiple policy rules, when there is a change of applications you support.
Create an Application Filter to dynamically group applications based on application attributes that you define. This is useful when you want to safely enable access to applications that you do not explicitly sanction, but want users to be able to access.
Services, Service Groups
Allows you to specify the source and destination ports and protocols that a service can use. You also create an custom service on any TCP/UDP port of your choice to restrict application usage to specific ports on your network. After you have created your service objects, you can then group a collection of services to create a Service Group that require the same policy enforcement.
Dynamic User Groups (DUGs)
Create dynamic user groups are groups where membership is based on tags. This means that the group membership is based on an attribute or activity that the tag identifies, and members are included in the group only when they meet that criteria. A dynamic user group that is based on an auto-tag includes users or IP addresses that are associated with a certain log type of log activity (specified by you when you set up the auto-tag). This means you can specify your security requirements based on the activity you want to limit or block, instead of the entity (user or IP address). And you don’t need to manually update policy or groups to respond to a threat.
Tags
Tag policies and objects to group related items and add colors to visually distinguish them from other configured policies and objects for easy scanning. You can tag all Prisma Access policies, as well as address objects, address groups, service objects, and service groups.
You can apply or more tags to any policy rule or object, with up to a maximum of 64 tags. Prisma Access supports up to 10,000 tags.
Auto-Tags
Prisma Access can automatically tag the users or IP addresses associated with a log entry. When you use auto-tags to build policy, you can automatically enforce users and IP addresses based on behavior and activity. You don’t need to manually and retroactively adjust policy or groups. To get started, set up an auto-tag and then use it to populate a dynamic address group or a dynamic user group. Then, add the dynamic user group to a policy rule.
HIP Objects, HIP Profiles
Allows you to define objects for the host information profile (HIP) to provide matching criteria for filtering the raw data which gives information about how the device is maintained. This information includes whether data is encrypted, if antivirus signatures are up to date, if the device is jailbroken and more. You can use the device state information to enforce policy. After you have created your HIP objects, you can then group a collection of HIP objects to create a HIP Profile to be evaluated together for monitoring or for policy enforcement.
External Dynamic Lists
Allows you to define an imported list of IP addresses, URLs, or domain names that you can use in policy rules to block or allow traffic.
URL Category
Allows you to create a custom URL category object to use in a URL Filtering profile to specify exceptions to URL category enforcement, and to create a custom URL category based on multiple URL categories.
Schedules
By default, security policy rules are always in effect (all dates and times). To limit a security rule to specific times, you can define schedules, and then apply them to the appropriate rules. For each schedule, you can specify a fixed date and time range or a recurring daily or weekly schedule. Add or edit a security rule to get started.
Quarantine Device Lists
Prisma Access allows you to identify and quarantine compromised devices with the GlobalProtect app. You can either manually or automatically (based on auto-tags) add devices to a quarantine list. You can block quarantined devices from accessing the network, or restrict the device traffic based on a security rule.To get started, go to Configuration > Objects and set up a Quarantined Device List. Then use the list as part of identity redistribution.
Certificates
Centrally manage the certificates you use to secure communication across your network. In one place, set up your certificates, add certificate authorities (Prisma Access includes preloaded certificates for well-known CAs), add OCSP responders, and define certificate checks you want to require. The certificates and settings you set up here can be used throughout your Prisma Access deployment to secure features like decryption, your authentication portal, and the GlobalProtect app.
Profile Groups
Security profiles scan traffic for threats, and a profile group is a collection of each type of profile. To enable security profile scanning, you must build a profile group, and attach the group to a security rule.Prisma Access provides predefined security profiles that you can use to a build a profile group. The best practice profiles use strict security settings that Palo Alto Networks recommends. Some profile types also include additional rules, besides the best practice rules. You can optionally use these less strict profiles to scan—for example—applications that are not business-critical or that you allow for personal use, while continuing to use the strict best practice rules to enforce your most sensitive enterprise applications. Review all built-in, security profile settings.

Recommended For You