Prisma Access Policy Types

Prisma Access supports a variety of policy types that work together to protect your network security and safely enable applications on your network.
The different policy types supported on Prisma Access are: Security (Corporate Access and Internet Access), QoS, Decryption, Application Override, and Authentication.
Prisma Access allows you to create various types of policies to protect your network from threats and disruptions, as well as help you optimize network resource allocation. Rules are evaluated from top to bottom and when traffic matches against the defined rule criteria, subsequent rules are not evaluated. You should order more specific policy rules above the more generic ones to enforce the best match criteria possible. A log is generated for traffic that matches a policy rule when logging is enabled for the rule. Logging options are configurable for each rule.
Best practice policy rules are available for most policy types and help you to get started quickly and securely. While these rules cannot be edited to ensure that you always have a minimum level of security readily available, you can clone them if you want to use them as a foundation for customizing your policy.
Policy Type
Determine whether to block or allow sessions based on the traffic attributes such as the source and destination zones, the source and destination IP addresses, the application, or user.
Quality of Service (QoS) policy rules to identify traffic that requires preferential treatment or bandwidth limiting. QoS rules allow you to dependably run high-priority applications and traffic under limited network capacity. You can configure traffic QoS treatment using the following codepoints:
  • Expedited Forwarding (EF)—Used to request low loss, low latency and guaranteed bandwidth for traffic. Packets with EF codepoint values are typically guaranteed highest priority delivery.
  • Assured Forwarding (AF)—Used to provide reliable delivery for applications. PAckets with AF codepoints indicate a request for traffic to receive higher priority treatment than best effort service provides. Packets with EF codepoint take precedence over packets with AF codepoint.
  • Class Selector (CS)—Used to provide backwards compatibility with network IP addresses that use the IP precedence field to mark priority traffic.
  • IP Precedence (ToS)—Used by legacy network IP addresses to mark priority traffic.
  • Custom Codepoint—Create a custom codepoint to match traffic by entering a Codepoint Name and Binary Value.
For example, you can create a QoS policy rule to prioritize voice communications, such as voice over IP (VOIP), to ensure consistent packet transmission. This ensures that voice communication are consistent.
Identify encrypted traffic that you want to inspect for visibility, control, and granular security. Decryption policy rules allow you to define traffic to decrypt and the type of decryption you want to perform on the indicated traffic. All you need to do to start decrypting traffic is set up the certificates Prisma Access requires to act as a trusted third-party to a session. For everything else, we’ve built in best practice decryption settings, including settings to exclude sensitive content from decryption, as well as sites that are known to not work well when decrypted.
Application Override
Create an application override policy to designate applications be processed using fast path Layer-4 inspection instead of using the App-ID for Layer-7 inspection. This forces the security enforcement node to handle the session as a regular stateful inspection and saves application processing times. You can create an application override policy rule when you do not want traffic inspection for custom applications between known IP addresses. For example, if you have a custom application on a non-standard port that you know users accessing the application are sanctioned, and both are in the Trust zone, you can override the application inspection requirements for the trusted users accessing the custom application.

Recommended For You