palo alto security policy banner - Google Search - Google Chrome 2020-01-21 10_45_40 AM (2)
Eric U Ngabonziza

How to create a Security policy in Palo Alto firewall

Any traffic traversing the dataplane of the Palo Alto Networks firewall is matched against a security policy. Security policies on the Palo Alto firewall are created by using various criteria such as zones, applications, IP addresses, ports, users and they can allow or deny traffic.

STEP 1: ADD a rule

Select “Policies” and click Add.

Enter a descriptive Name for the rule in the General tab.

Select a Rule Type.

STEP 2: Define the matching criteria for the source fields in the packet.

In the “Source tab”, set the source zone and specify a source IP Address or leave the value set to any.

In the “User tab”, specify a Source User or leave the value set to any.

STEP 3: Define the matching criteria for the destination fields in the packet.

In the “Destination tab”, set the Destination Zone.

Specify a Destination IP Address or leave the value set to any.

STEP 4: Specify the application the rule will allow or block.

In the “Applications tab”, Add the Application to safely enable.

You can select multiple applications or use application groups or application filters.

In the “Service/URL Category tab”, keep the Service set to application-default to ensure that any applications the rule allows are only allowed on their standard ports.

STEP 5: Define what action you want the firewall to take for traffic that matches the rule.

In the “Actions tab”, select an Action.

Configure the log settings.

By default, the rule is set to Log at Session End. You can clear this setting if you don’t want any logs generated when traffic matches this rule or select Log at Session Start for more detailed logging.

Select a Log Forwarding profile; e.g. Panorama, syslog or SIEM(Security information and event management).

Attach security profiles to enable the firewall to scan all allowed traffic for threats.

In the “Actions tab”, select Profiles from the Profile Type drop-down and then select the individual security profiles to attach to the rule.

Alternatively, select Group from the Profile Type drop-down and select a security Group Profile to attach.

Click on “OK” button to save the policy rule to the running configuration on the firewall

STEP 6: Save and apply the new configuration.

Save the policy rule to the running configuration on the firewall by clicking on Click Commit to save the new configuration.

STEP 6: Verification.

To verify the policy rule that matches a flow, you can use the GUI (image below) or you use the following CLI command:

test security-policy-match source <IP_address> destination <IP_address> destination port <port_number> protocol <protocol_number>

Author: Eric Uwonkunda Ngabonziza

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
en_USEnglish
fr_CAFrench en_USEnglish