https://live.paloaltonetworks.com/t5/general-topics/clarification-on-how-pa-process-security-profile-with-applied/m-p/561400#M113758 <P>Hi All,</P> <P>&nbsp;</P> <P>I have a quick question and hopefully someone can help me understand how security profile is processed by PA.</P> <P>&nbsp;</P> <P>I understand that security profile is processed from left to right, then top to bottom. My question is, does all criteria need to match so that the traffic will match the rule? Is the logic used by PA is AND or OR?</P> <P>&nbsp;</P> <OL> <LI>Source and destination address</LI> <LI>Source ports and destination ports</LI> <LI>Applications</LI> <LI>User-ID</LI> <LI>URL category</LI> <LI>Source and destination zones</LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 12 Oct 2023 09:23:56 GMT RadianLinog 2023-10-12T09:23:56Z https://live.paloaltonetworks.com/t5/general-topics/clarification-on-how-pa-process-security-profile-with-applied/m-p/561400#M113758 <P>Hi All,</P> <P>&nbsp;</P> <P>I have a quick question and hopefully someone can help me understand how security profile is processed by PA.</P> <P>&nbsp;</P> <P>I understand that security profile is processed from left to right, then top to bottom. My question is, does all criteria need to match so that the traffic will match the rule? Is the logic used by PA is AND or OR?</P> <P>&nbsp;</P> <OL> <LI>Source and destination address</LI> <LI>Source ports and destination ports</LI> <LI>Applications</LI> <LI>User-ID</LI> <LI>URL category</LI> <LI>Source and destination zones</LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 12 Oct 2023 09:23:56 GMT https://live.paloaltonetworks.com/t5/general-topics/clarification-on-how-pa-process-security-profile-with-applied/m-p/561400#M113758 RadianLinog 2023-10-12T09:23:56Z https://live.paloaltonetworks.com/t5/general-topics/clarification-on-how-pa-process-security-profile-with-applied/m-p/561403#M113761 <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0</A></P> <P>&nbsp;</P> <P>This explains how PAN device handles packet and each feature works.</P> <P>At beginning of section 3, it says...</P> <DIV class="tb f108"><EM>A&nbsp; firewall session consists of two unidirectional flows, each uniquely identified. In&nbsp;PAN-OS ’s implementation, the firewall identifies the flow using a 6-tuple key:</EM></DIV> <UL> <LI class="tb f108"><EM><SPAN class="tx f120">Source and destination addresses: IP addresses from the IP packet.&nbsp;</SPAN></EM></LI> <LI class="tb f108"><EM><SPAN class="tx f120">Source and destination ports:&nbsp; Port numbers from TCP/UDP protocol headers.&nbsp; For non-TCP/UDP, different&nbsp; protocol&nbsp; fields are used (e.g. for ICMP the ICMP identifier and&nbsp;<SPAN class="tx f116">sequence numbers are used, for IPSec terminating on device the Security Parameter Index (SPI) is used, and for unknown, a constant reserved value is used to skip Layer-4 match).</SPAN></SPAN></EM></LI> <LI class="tb f108"><EM>Protocol:&nbsp;The IP protocol number from the IP header is used to derive the flow key . &nbsp;</EM></LI> <LI class="tb f108"><EM>Security zone:&nbsp;This field is derived from the ingress interface at which a packet&nbsp;arrives.</EM></LI> </UL> <P>&nbsp;</P> <P>Other elements you are listing are used after few more packets are traversed.</P> <P>Hope this helps you.</P> Thu, 12 Oct 2023 09:44:56 GMT https://live.paloaltonetworks.com/t5/general-topics/clarification-on-how-pa-process-security-profile-with-applied/m-p/561403#M113761 emr_1 2023-10-12T09:44:56Z