Prisma Access Policy Types
Prisma Access supports a variety of policy types that work together to protect your network security and safely enable applications on your network.
The different policy types supported on Prisma Access are: Security (Corporate Access and Internet Access), QoS, Decryption, Application Override, and Authentication.
Prisma Access allows you to create various types of policies to protect your network from threats and disruptions, as well as help you optimize network resource allocation. Rules are evaluated from top to bottom and when traffic matches against the defined rule criteria, subsequent rules are not evaluated. You should order more specific policy rules above the more generic ones to enforce the best match criteria possible. A log is generated for traffic that matches a policy rule when logging is enabled for the rule. Logging options are configurable for each rule.
Best practice policy rules are available for most policy types and help you to get started quickly and securely. While these rules cannot be edited to ensure that you always have a minimum level of security readily available, you can clone them if you want to use them as a foundation for customizing your policy.
Determine whether to block or allow sessions based on the traffic attributes such as the source and destination zones, the source and destination IP addresses, the application, or user.
Quality of Service (QoS) policy rules to identify traffic that requires preferential treatment or bandwidth limiting. QoS rules allow you to dependably run high-priority applications and traffic under limited network capacity. You can configure traffic QoS treatment using the following codepoints:
For example, you can create a QoS policy rule to prioritize voice communications, such as voice over IP (VOIP), to ensure consistent packet transmission. This ensures that voice communication are consistent.
Identify encrypted traffic that you want to inspect for visibility, control, and granular security. Decryption policy rules allow you to define traffic to decrypt and the type of decryption you want to perform on the indicated traffic. All you need to do to start decrypting traffic is set up the certificates Prisma Access requires to act as a trusted third-party to a session. For everything else, we’ve built in best practice decryption settings, including settings to exclude sensitive content from decryption, as well as sites that are known to not work well when decrypted.
Create an application override policy to designate applications be processed using fast path Layer-4 inspection instead of using the App-ID for Layer-7 inspection. This forces the security enforcement node to handle the session as a regular stateful inspection and saves application processing times. You can create an application override policy rule when you do not want traffic inspection for custom applications between known IP addresses. For example, if you have a custom application on a non-standard port that you know users accessing the application are sanctioned, and both are in the Trust zone, you can override the application inspection requirements for the trusted users accessing the custom application.
Recommended For You
Recommended videos not found.