All Policy Types
Focus
Focus
Network Security

All Policy Types

Table of Contents

All Policy Types

Your configuration supports a variety of policy types that work together to protect your network security and safely enable applications on your network.
Where Can I Use This?What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
Check for any license or role requirements for the products you're using.
In addition to Security Policy, there are other policy types that are supported across the Network Security platform. The policy types supported on Prisma Access are: Security (Corporate Access and Internet Access), QoS, Decryption, Application Override, and Authentication.
You can create various types of policies to protect your network from threats and disruptions, as well as help you optimize network resource allocation. Rules are evaluated from top to bottom and when traffic matches against the defined rule criteria, subsequent rules are not evaluated. You should order more specific security rules above the more generic ones to enforce the best match criteria possible. A log is generated for traffic that matches a security rule when logging is enabled for the rule. Logging options are configurable for each rule.
Best practice security rules are available for most policy types and help you to get started quickly and securely. While these rules cannot be edited to ensure that you always have a minimum level of security readily available, you can clone them if you want to use them as a foundation for customizing your policy.
Policy Type
Description
Security
Determine whether to block or allow a session based on traffic attributes such as the source and destination security zone, the source and destination IP address, the application, user, and the service. For details, see Security Policy.
NAT
Determine which packets need translation and how to do the translation. Both source address and/or port translation and destination address and/or port translation are supported. For details, see NAT.
QoS
Identify traffic requiring QoS treatment (either preferential treatment or bandwidth-limiting) using a defined parameter or multiple parameters and assign it a class. For more details, see Quality of Service.
Policy Based Forwarding
Identify traffic that should use a different egress interface than the one that would normally be used based on the routing table. For more details, see Policy Based Forwarding.
Decryption
Identify encrypted traffic that you want to inspect for visibility, control, and granular security. Decryption security rules allow you to define traffic to decrypt and the type of SSL decryption, you want to perform on the indicated traffic. All you need to do to start decrypting traffic is set up the certificates Prisma Access requires to act as a trusted third-party to a session. For everything else, we’ve built in best practice decryption settings, including settings to exclude sensitive content from decryption, as well as sites that are known to not work well when decrypted. For more details, see Decryption.
SSH Proxy decryption is not supported in Prisma Access Cloud Management.
Tunnel Inspection
Enforce Security, DoS Protection, and QoS policies on tunneled traffic, and to view tunnel activity.
For more details, see Tunnel Content Inspection.
Application Override
Identify sessions that you do not want processed by the App-ID engine, which is a Layer-7 inspection. Traffic matching an application override policy forces the session to be handled as a regular stateful inspection at Layer-4 and saves application processing times. You can create an application override security rule when you do not want traffic inspection for custom applications between known IP addresses. For example, if you have a custom application on a non-standard port that you know users accessing the application are sanctioned, and both are in the Trust zone, you can override the application inspection requirements for the trusted users accessing the custom application. For more details, see Application Override Policy.
Authentication
Identify traffic that requires users to authenticate. For more details, see Authentication Policy.
DoS Protection
Identify potential denial-of-service (DoS) attacks and take protective action in response to rule matches. For more details, see DoS Protection Profiles.
SD-WAN
Determine link path management between the source and destination zones when link path health degrades below the approved, configured health metrics. For more details, see SD-WAN.