https://live.paloaltonetworks.com/t5/general-topics/need-help-understanding-how-to-setup-conditions-for-firewalls/m-p/449211#M100905 <P>The policy sequence already kind of does “if then”... &nbsp;</P><P>if match policy 1 then do... &nbsp; if not then next policy...</P><P>&nbsp;</P><P>i would be more granular on your allow as per&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp; and only allow those intended..</P><P>if this is not possible then move your more specific deny policy above the allow...</P><P>that is why we have policy numbering and the ability to move them up or down...</P><P>&nbsp;</P> Wed, 24 Nov 2021 08:20:18 GMT Mick_Ball 2021-11-24T08:20:18Z https://live.paloaltonetworks.com/t5/general-topics/need-help-understanding-how-to-setup-conditions-for-firewalls/m-p/449136#M100901 <P>As it stands m firewall looks at rules in a sequential sense and applies rules in that way.&nbsp;</P><P>meaning if it reaches a Deny it will immediately cancel a packet (which isn't necessarily bad) but it also means if a rule permits a user to do something interferes with another that denies him something - the user will get access to things they shouldn't.&nbsp;</P><P>My question here is can I make rules that follow the logic of "if ___ then ___" instead of the traditional "when__ do___"</P> Tue, 23 Nov 2021 21:00:54 GMT https://live.paloaltonetworks.com/t5/general-topics/need-help-understanding-how-to-setup-conditions-for-firewalls/m-p/449136#M100901 TPalo2809 2021-11-23T21:00:54Z https://live.paloaltonetworks.com/t5/general-topics/need-help-understanding-how-to-setup-conditions-for-firewalls/m-p/449208#M100904 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/200925">@TPalo2809</a>&nbsp;,</P> <P>&nbsp;</P> <P>Yes you can write more granular security policy which will allow only specific traffic request based on the allowed parameters. Now to achieve it, only keeping Source/Dest IP addresses and services based policies won’t help.</P> <P>You would need to use different features of palo alto firewalls like USER-ID agent, security profiles like URL filtering, Vulnerability/Anti-Spyware profiles, Data Filtering etc. Such Security Profiles helps to allow only specific traffic and also it blocks traffic if any of threat pattern is observed. With USER-ID agent, you can also add user-id based policy where source user will be checked and then it will allow/deny based on the policy action. Palo Alto App-ID helps you to leverage behavioral characteristics and decide to allow/restrict if exact application is not identified.</P> <P>&nbsp;</P> <P>The best thing about all these features is it gets updated automatically on the palo alto update server. We just need to configure our firewall to download the updated version and install same.</P> <P>&nbsp;</P> <P>So by leveraging all such features, you can define strict policy set to achieve your requirement. To get more clarity, you can refer <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmACAS" target="_self">this</A> article.</P> <P>&nbsp;</P> <P>Hope it helps!</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 24 Nov 2021 07:00:50 GMT https://live.paloaltonetworks.com/t5/general-topics/need-help-understanding-how-to-setup-conditions-for-firewalls/m-p/449208#M100904 SutareMayur 2021-11-24T07:00:50Z https://live.paloaltonetworks.com/t5/general-topics/need-help-understanding-how-to-setup-conditions-for-firewalls/m-p/449211#M100905 <P>The policy sequence already kind of does “if then”... &nbsp;</P><P>if match policy 1 then do... &nbsp; if not then next policy...</P><P>&nbsp;</P><P>i would be more granular on your allow as per&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp; and only allow those intended..</P><P>if this is not possible then move your more specific deny policy above the allow...</P><P>that is why we have policy numbering and the ability to move them up or down...</P><P>&nbsp;</P> Wed, 24 Nov 2021 08:20:18 GMT https://live.paloaltonetworks.com/t5/general-topics/need-help-understanding-how-to-setup-conditions-for-firewalls/m-p/449211#M100905 Mick_Ball 2021-11-24T08:20:18Z