topic Prisma Security Policy Configuration in Panorama Discussions https://live.paloaltonetworks.com/t5/panorama-discussions/prisma-security-policy-configuration/m-p/561408#M1916 <P>Forgive me as this question will probably seem a bit daft. We are using Prisma Access (Panorama Managed) , we have two mapped zones - one for trust and one to untrust. We have service connections that allow our users to access internal resources.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I have a question about Sec Pol configuration for our mobile users device group.&nbsp;</P> <P>&nbsp;</P> <P>For our on-prem NGFWs we use best practice policies described here.&nbsp;</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy/step-1-create-rules-based-on-trusted-threat-intelligence-sources" target="_blank">https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy/step-1-create-rules-based-on-trusted-threat-intelligence-sources</A></P> <P>&nbsp;</P> <P>Is this also appropriate for prisma mobile users, (we do not split tunnel internet traffic) Please see screen shot above for proposed configuration. I guess my question more specifically is do we need the rules that block these dynamic lists as source , or is destination enough?&nbsp; I guess my hesitation is because it don't really understand with prisma how traffic originating from untrust is treated , does the predefined network even allow any traffic originating from untrust ?&nbsp;</P> Thu, 12 Oct 2023 10:07:24 GMT jbusby 2023-10-12T10:07:24Z Prisma Security Policy Configuration https://live.paloaltonetworks.com/t5/panorama-discussions/prisma-security-policy-configuration/m-p/561408#M1916 <P>Forgive me as this question will probably seem a bit daft. We are using Prisma Access (Panorama Managed) , we have two mapped zones - one for trust and one to untrust. We have service connections that allow our users to access internal resources.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I have a question about Sec Pol configuration for our mobile users device group.&nbsp;</P> <P>&nbsp;</P> <P>For our on-prem NGFWs we use best practice policies described here.&nbsp;</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy/step-1-create-rules-based-on-trusted-threat-intelligence-sources" target="_blank">https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy/step-1-create-rules-based-on-trusted-threat-intelligence-sources</A></P> <P>&nbsp;</P> <P>Is this also appropriate for prisma mobile users, (we do not split tunnel internet traffic) Please see screen shot above for proposed configuration. I guess my question more specifically is do we need the rules that block these dynamic lists as source , or is destination enough?&nbsp; I guess my hesitation is because it don't really understand with prisma how traffic originating from untrust is treated , does the predefined network even allow any traffic originating from untrust ?&nbsp;</P> Thu, 12 Oct 2023 10:07:24 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/prisma-security-policy-configuration/m-p/561408#M1916 jbusby 2023-10-12T10:07:24Z