Policies > Security
Security policies reference security zones and enable you to allow, restrict, and track traffic on your network based on the application, user or user group, and service (port and protocol). By default, the firewall includes a security rule named rule1 that allows all traffic from the Trust zone to the Untrust zone.
What do you want to know? See:
What is a security policy? Security Policy Overview
What are the fields available to create a security policy? Building Blocks in a Security Policy
How can I use the web interface to manage security policies? Creating and Managing Policies
Overriding or Reverting a Security Policy Rule
Looking for more? Security Policy
Security Policy Overview
Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones. For example, a rule for a single application must precede a rule for all applications if all other traffic-related settings are the same.
For traffic that doesn’t match any user-defined rules, the default rules apply. The default rules—displayed at the bottom of the security rulebase—are predefined to allow all intrazone traffic (within the zone) and deny all interzone traffic (between zones). Although these rules are part of the pre-defined configuration and are read-only by default, you can Override them and change a limited number of settings, including the tags, action (allow or deny), log settings, and security profiles.
The interface includes the following tabs for defining security policy.
General —Select the General tab to configure a name and description for the security policy. Source —Select the Source tab to define the source zone or source address from which the traffic originates. User —Select the User tab to enforce policy for individual users or a group of users. If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user's local configuration. The HIP information can be used for granular access control based on the security programs that are running on the host, registry values, and many other checks such as whether the host has antivirus software installed. Destination —Select the Destination tab to define the destination zone or destination address for the traffic. Application —Select the Application tab to have the policy action occur based on an application or application group. An administrator can also use an existing App-ID signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined in Objects > Applications. Service/URL Category —Select the Service/URL Category tab to specify a specific TCP and/or UDP port number or a URL category as match criteria in the policy. Action —Select the Action tab to determine the action that will be taken based on traffic that matches the defined policy attributes.
Building Blocks in a Security Policy
The following section describes each component in a security policy rule . When you view the default security rule, or create a new rule, you can configure the options described here.
Building Block in a Security Rule Configured In Description
Rule number N/A Each rule is automatically numbered and the order changes as rules are moved. When you filter rules to match specific filter(s), each rule is listed with its number in the context of the complete set of rules in the rulebase and its place in the evaluation order. In Panorama, pre-rules and post-rules are independently numbered. When rules are pushed from Panorama to a managed firewall, the rule numbering incorporates hierarchy in pre-rules, firewall rules, and post-rules within a rulebase and reflects the rule sequence and its evaluation order.
Name General Enter a name to identify the rule. The name is case-sensitive and can have up to 31 characters, which can be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on Panorama, unique within its device group and any ancestor or descendant device groups.
Tag Click Add to specify the tag for the policy. A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword. For example, you may want to tag certain rules with specific words like Decrypt and No-decrypt, or use the name of a specific data center for policies associated with that location. You can also add tags to the default rules.
Type Specifies whether the rule applies to traffic within a zone, between zones, or both: universal (default)—Applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones. For example, if you create a universal rule with source zones A and B and destination zones A and B, the rule would apply to all traffic within zone A, all traffic within zone B, and all traffic from zone A to zone B and all traffic from zone B to zone A. intrazone —Applies the rule to all matching traffic within the specified source zones (you cannot specify a destination zone for intrazone rules). For example, if you set the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B. interzone —Applies the rule to all matching traffic between the specified source and destination zones. For example, if you set the source zone to A, B, and C and the destination zone to A and B, the rule would apply to traffic from zone A to zone B, from zone B to zone A, from zone C to zone A, and from zone C to zone B, but not traffic within zones A, B, or C.
Source Zone Source Click Add to choose source zones (default is any). Zones must be of the same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to Network > Zones. Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases.
Source Address Click Add to add source addresses, address groups, or regions (default is any). Select from the drop-down, or click Address, Address Group, or Regions at the bottom of the drop-down, and specify the settings.
Source User User Click Add to choose the source users or groups of users subject to the policy. The following source user types are supported: any —Include any traffic regardless of user data. pre-logon —Include remote users that are connected to the network using GlobalProtect, but are not logged into their system. When the Pre-logon option is configured on the Portal for GlobalProtect clients, any user who is not currently logged into their machine will be identified with the username pre-logon. You can then create policies for pre-logon users and although the user is not logged in directly, their machines are authenticated on the domain as if they were fully logged in. known-user —Includes all authenticated users, which means any IP with user data mapped. This option is equivalent to the domain users group on a domain. unknown —Includes all unauthenticated users, which means IP addresses that are not mapped to a user. For example, you could use unknown for guest level access to something because they will have an IP on your network but will not be authenticated to the domain and will not have IP to user mapping information on the firewall. Select —Includes selected users as determined by the selection in this window. For example, you may want to add one user, a list of individuals, some groups, or manually add users. If you are using a RADIUS server and not the User-ID agent, the list of users does not display; you must enter user information manually.
Source HIP Profile Click Add to choose host information profiles (HIP) to identify users. A HIP enables you to collect information about the security status of your end hosts, such as whether they have the latest security patches and antivirus definitions installed. Using host information profiles for policy enforcement enables granular security that ensures that the remote hosts accessing your critical resources are adequately maintained and in adherence with your security standards before they are allowed access to your network resources. The following source HIP profiles are supported: any —Include any endpoint regardless of HIP information. select —Include selected HIP profiles as determined by the selection in this window. For example, you can add one HIP profile, a list of HIP profiles, or manually add a HIP profile. no-hip —HIP information is not required. This setting enables access from third-party clients that cannot collect or submit HIP information.
Destination Zone Destination Click Add to choose destination zones (default is any). Zones must be of the same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to Network > Zones. Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases. On intrazone rules, you cannot define a Destination Zone because these types of rules only match traffic with a source and a destination within the same zone. To specify the zones that match an intrazone rule you only need to set the Source Zone.
Destination Address Click Add to add destination addresses, address groups, or regions (default is any). Select from the drop-down, or click Address at the bottom of the drop-down, and specify address settings.
Application Application Select specific applications for the security rule. If an application has multiple functions, you can select the overall application or individual functions. If you select the overall application, all functions are included and the application definition is automatically updated as future functions are added. If you are using application groups, filters, or containers in the security rule, you can view details of these objects by holding your mouse over the object in the Application column, click the drop-down arrow and select Value. This allows you to view application members directly from the policy without having to navigate to the Object tab.
Service Service/URL Category Select services to limit to specific TCP and/or UDP port numbers. Choose one of the following from the drop-down: any —The selected applications are allowed or denied on any protocol or port. application-default —The selected applications are allowed or denied only on their default ports defined by Palo Alto Networks®. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocol which, if not intentional, can be a sign of undesired application behavior and usage. Note that when you use this option, the firewall still checks for all applications on all ports but, with this configuration, applications are only allowed on their default ports and protocols. Select —Click Add. Choose an existing service or choose Service or Service Group to specify a new entry. (Or select Objects > Services and Objects > Service Groups).
URL Category Select URL categories for the security rule. Choose any to allow or deny all sessions regardless of the URL category. To specify a category, click Add and select a specific category (including a custom category) from the drop-down. You can add multiple categories. Select Objects > External Dynamic Lists to define custom categories.
Action Actions To specify the action for traffic that matches the attributes defined in a rule, select from the following actions: Allow —(default) Allows the traffic. Deny —Blocks traffic, and enforces the default Deny Action defined for the application that is being denied. To view the deny action defined by default for an application, view the application details in Objects > Applications. Because the default deny action varies by application, the firewall could block the session and send a reset for one application, while it could drop the session silently for another application. Drop —Silently drops the application. A TCP reset is not sent to the host/application, unless you select Send ICMP Unreachable. Reset client —Sends a TCP reset to the client-side device. Reset server —Sends a TCP reset to the server-side device. Reset both —Sends a TCP reset to both the client-side and server-side devices. Send ICMP Unreachable —Only available for Layer 3 interfaces. When you configure security policy to drop traffic or to reset the connection, the traffic does not reach the destination host. In such cases, for all UDP traffic and for TCP traffic that is dropped, you can enable the firewall to send an ICMP Unreachable response to the source IP address from where the traffic originated. Enabling this setting allows the source to gracefully close or clear the session and prevents applications from breaking. To view the ICMP Unreachable Packet Rate configured on the firewall, view the Session Settings section in Device > Setup > Session. To override the default action defined on the predefined interzone and intrazone rules, see Overriding or Reverting a Security Policy Rule
Profile Setting Actions To specify the checking done by the default security profiles, select individual Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, and/or Data Filtering profiles. To specify a profile group rather than individual profiles, select Profile Type Group and then select a profile group from the Group Profile drop-down. To define new profiles or profile groups, click New next to the appropriate profile or group (refer to Objects > Security Profile Groups). You can also attach security profiles (or profile groups) to the default rules.
Options Actions The Options tab includes the logging settings and the a combination of other options listed below. To generate entries in the local traffic log for traffic that matches this rule, select the following options: Log At Session Start —Generates a traffic log entry for the start of a session (disabled by default). Log At Session End —Generates a traffic log entry for the end of a session (enabled by default). If the session start or end entries are logged, drop and deny entries are also logged. Log Forwarding Profile —To forward the local traffic log and threat log entries to remote destinations, such as Panorama and syslog servers, select a log profile from the Log Forwarding Profile drop-down. Note that the generation of threat log entries is determined by the security profiles. To define new log profiles, click New (refer to Objects > Log Forwarding). You can also modify the log settings on the default rules. Specify any combination of the following options: Schedule —To limit the days and times when the rule is in effect, select a schedule from the drop-down. To define new schedules, click New (refer to Settings to Control Decrypted SSL Traffic). QoS Marking —To change the Quality of Service (QoS) setting on packets matching the rule, select IP DSCP or IP Precedence and enter the QoS value in binary or select a predefined value from the drop-down. For more information on QoS, refer to Quality of Service (QoS) . Disable Server Response Inspection —To disable packet inspection from the server to the client, select this option. This option may be useful under heavy server load conditions.
Description General Enter a description for the policy (up to 255 characters).
Creating and Managing Policies
Select the Policies > Security page to add , and modify, and manage security policies.
Task Description
Add To add a new policy rule, do one of the following: Click Add at the bottom of the page. Select a rule on which to base the new rule and click Clone Rule, or select a rule by clicking the white space of the rule and select Clone Rule at the bottom of the page (a rule that is selected in the web interface displays with a yellow background). The copied rule, “rulen” is inserted below the selected rule, where n is the next available integer that makes the rule name unique. For details on cloning, see Move or Clone a Policy Rule.
Modify To modify a rule, click the rule. If the rule is pushed from Panorama, the rule is read-only on the firewall and cannot be edited locally.
Override and Revert actions only pertain to the default rules that are displayed at the bottom of the Security rulebase. These predefined rules—allow all intrazone traffic and deny all interzone traffic—instruct the firewall on how to handle traffic that does not match any other rule in the rulebase. Because they are part of the predefined configuration, you must Override them in order to edit select policy settings. If you are using Panorama, you can also Override the default rules, and then push them to firewalls in a Device Group or Shared context. You can also Revert the default rules, which restores the predefined settings or the settings pushed from Panorama. For details, see Overriding or Reverting a Security Policy Rule.
Move Rules are evaluated top down and as enumerated on the Policies page. To change the order in which the rules are evaluated against network traffic, select a rule and click Move Up, Move Down, Move Top, or Move Bottom. For details, see Move or Clone a Policy Rule.
Delete Select a rule and click Delete to remove the existing rule.
Enable/Disable To disable a rule, select the rule and click Disable. To enable a rule that is disabled, select the rule and click Enable.
View Unused rules To identify rules that have not been used since the last time the firewall was restarted, select Highlight Unused Rules. You can then decide whether to disable the rule or delete it. Rules not currently in use are displayed with a dotted yellow background. Each firewall maintains a flag for the rules that have a match. Because the flag is reset when a dataplane reset occurs on a reboot or a restart, monitor this list periodically to determine whether the rule has had a match since the last check before you delete or disable it.
Show/Hide columns To show or hide the columns that display in the Policies pages, select this option next to the column name to toggle the display of each column.
Apply filters To apply a filter to the list, select from the Filter Rules drop-down. To add a value to define a filter, click the drop-down for the item and choose Filter. The default rules are not part of rulebase filtering and always show up in the list of filtered rules.
To view the network sessions that were logged as matches against the policy, click the drop-down for the rule name and choose Log Viewer.
To display the current value by clicking the drop-down for the entry and choosing Value. You can also edit, filter, or remove certain items directly from the column menu. For example, to view addresses included in an address group, hold your mouse over the object in the Address column, click the drop-down and select Value. This allows you to quickly view the members and the corresponding IP addresses for the address group without having to navigate to the Object tab.
To find objects used within a policy based on their name or IP address, use the filter option. After you apply the filter, you will see only the items that match the filter. The filter also works with embedded objects. For example, when you filter on 10.1.4.8, only the policy that contains that address is displayed:
Preview rules ( Panorama only ) Use Preview Rules to view a list of the rules before you push the rules to the managed firewalls. Within each rulebase, the hierarchy of rules is visually demarcated for each device group (and managed firewall) to make it easier to scan through a large numbers of rules.
Overriding or Reverting a Security Policy Rule
The default security rules—interzone-default and intrazone-default—have predefined settings that you can override on a firewall or on Panorama. If a firewall receives the default rules from a device group, you can also override the device group settings. The firewall or virtual system where you perform the override stores a local version of the rule in its configuration. The settings you can override are a subset of the full set (the following table lists the subset for security rules). For details on the default security rules, see Policies > Security.
To override a rule, select Policies > Security on a firewall or Policies > Security > Default Rules on Panorama. The Name column displays the inheritance icon for rules you can override. Select the rule, click Override, and edit the settings in the following table.
To revert an overridden rule to its predefined settings or to the settings pushed from a Panorama device group, select Policies > Security on a firewall or Policies > Security > Default Rules on Panorama. The Name column displays the override icon for rules that have overridden values. Select the rule, click Revert, and click Yes to confirm the operation.
Field to Use to Override a Default Security Rule Description
General Tab
Name The Name that identifies the rule is read-only; you cannot override it.
Rule Type The Rule Type is read-only; you cannot override it.
Description The Description is read-only; you cannot override it.
Tag Select Tags from the drop-down. A policy tag is a keyword or phrase that enables you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword. For example, you might want to tag certain security policies with Inbound to DMZ, tag specific decryption policies with the words Decrypt or No-decrypt, or use the name of a specific data center for policies associated with that location.
Actions Tab
Action Setting Select the appropriate Action for traffic that matches the rule. Allow —(default) Allows the traffic. Deny —Blocks traffic and enforces the default Deny Action that is defined for the application that the firewall is denying. To view the deny action that is defined by default for an application, view the application details in Objects > Applications. Drop —Silently drops the application. The firewall does not send a TCP reset message to the host or application. Reset client —Sends a TCP reset message to the client-side device. Reset server —Sends a TCP reset message to the server-side device. Reset both —Sends a TCP reset message to both the client-side and server-side devices.
Profile Setting Profile Type —Assign profiles or profile groups to the security rule: To specify the checking that the default security profiles perform, select Profiles and then select one or more of the individual Antivirus, Vulnerability Protection, Anti-Spyware, URL Filtering, File Blocking, Data Filtering, and WildFire Analysis profiles. To assign a profile group rather than individual profiles, select Group and then select a Group Profile from the drop-down. To define new profiles ( Objects > Security Profiles) or profile groups ( Objects > Security Profile Groups), click New in the drop-down for the corresponding profile or group.
Log Setting Specify any combination of the following options: Log Forwarding —To forward the local traffic log and threat log entries to remote destinations, such as Panorama and syslog servers, select a Log Forwarding profile from the drop-down. Security profiles determine the generation of Threat log entries. To define a new Log Forwarding profile, select Profile in the drop-down (see Objects > Log Forwarding). To generate entries in the local traffic log for traffic that matches this rule, select the following options: Log at Session Start —Generates a traffic log entry for the start of a session (selected by default). Log at Session End —Generates a traffic log entry for the end of a session (cleared by default). If you configure the firewall to include session start or session end entries in the Traffic log, it will also include drop and deny entries.

Related Documentation