Network Security
All Policy Types
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
All Policy Types
Your configuration supports a variety of policy types that work together to protect your
network security and safely enable applications on your network.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
In addition to Security Policy, there are other policy types that are supported across the
Network Security platform. The policy types supported on Prisma Access are: Security
(Corporate Access and Internet Access), QoS, Decryption, Application Override, and
Authentication.
You can create various types of policies to protect your network from
threats and disruptions, as well as help you optimize network resource allocation. Rules
are evaluated from top to bottom and when traffic matches against the defined rule
criteria, subsequent rules are not evaluated. You should order more specific security rules above the more generic ones to enforce the best match criteria possible. A log is
generated for traffic that matches a security rule when logging is enabled for the rule.
Logging options are configurable for each rule.
Best practice security rules are available for most policy types and help you to get
started quickly and securely. While these rules cannot be edited to ensure that you
always have a minimum level of security readily available, you can clone them if you
want to use them as a foundation for customizing your policy.
Policy Type | Description |
|---|---|
Security | Determine whether to block or allow a session based on traffic attributes such as the source and
destination security zone, the source and destination IP address,
the application, user, and the service. For details, see Security Policy. |
NAT | Determine which packets need translation and how to do the translation. Both source address
and/or port translation and destination address and/or port
translation are supported. For details, see NAT. |
QoS | Identify traffic requiring QoS treatment (either preferential treatment or bandwidth-limiting)
using a defined parameter or multiple parameters and assign it a
class. For more details, see Quality of Service. |
Policy Based Forwarding | Identify traffic that should use a different egress interface than the one that would normally be
used based on the routing table. For more details, see Policy Based
Forwarding. |
Decryption | Identify encrypted traffic that you want to inspect for visibility, control, and granular
security. Decryption security rules allow you to define traffic to
decrypt and the type of SSL decryption, you want to perform on the
indicated traffic. All you need to do to start decrypting traffic is
set up the certificates Prisma Access requires to act as a
trusted third-party to a session. For everything else, we’ve built
in best practice decryption settings, including settings to exclude
sensitive content from decryption, as well as sites that are known
to not work well when decrypted. For more details, see Decryption.
SSH Proxy decryption is not
supported in Prisma Access Cloud Management. |
Tunnel Inspection | Enforce Security, DoS Protection, and QoS policies on tunneled traffic, and to
view tunnel activity. For more details, see Tunnel Content
Inspection. |
Application Override | Identify sessions that you do not want processed by the App-ID engine, which is a Layer-7
inspection. Traffic matching an application override policy forces
the session to be handled as a regular stateful inspection at
Layer-4 and saves application processing times. You can create an
application override security rule when you do not want traffic
inspection for custom applications between known IP addresses. For
example, if you have a custom application on a non-standard port
that you know users accessing the application are sanctioned, and
both are in the Trust zone, you can override the application
inspection requirements for the trusted users accessing the custom
application. For more details, see Application Override Policy. |
Authentication | Identify traffic that requires users to authenticate. For more details, see Authentication Policy. |
DoS Protection | Identify potential denial-of-service (DoS) attacks and take protective action in response to rule
matches. For more details, see DoS Protection
Profiles. |
SD-WAN | Determine link path management between the source and destination zones when link path health
degrades below the approved, configured health metrics. For more
details, see SD-WAN. |