https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-anti-virus-blocks-or-allows-all/m-p/15760#M11521 <HTML><HEAD></HEAD><BODY><P>Hi Marcel,</P><P></P><P>Thanks for the reply. I believe I understand most of what you said. I do have a few more questions.</P><P></P><P>If what you say is true, then why if I have a rule that is for checking for virus's only and I set the security policy action to allow; then why does the log say that that rule is allowing traffic through instead of the rule following it?</P><P></P><P>I guess I'm coming from my old firewall's perspective. I want to create a rule for each profile I have created, have the traffic go through each rule, until it's reached the last rule and then allow the traffic to go to it's final destination.</P><P></P><P>I hope I'm making sense.</P><P></P><P>Thanks,</P><P>Daniel</P></BODY></HTML> Fri, 09 Jul 2010 16:54:17 GMT numberall 2010-07-09T16:54:17Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-anti-virus-blocks-or-allows-all/m-p/15758#M11519 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I've watched the video on how to setup a URL filter security policy. It shows the action selected to be allow. When I created an Anti-virus Profile I set it up to block anything on http.</P><P></P><P>I then went and created the Security policy selecting that anti-virus profile. If I leave the action set to allowed, this Policy is then shown as letting all traffic through in the logs. If I set the action to Block, then the logs show this Policy as blocking all http traffic.</P><P></P><P>Can anyone please tell me what step I'm missing?</P><P></P><P>Thanks,</P><P>Daniel</P></BODY></HTML> Wed, 07 Jul 2010 22:12:44 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-anti-virus-blocks-or-allows-all/m-p/15758#M11519 numberall 2010-07-07T22:12:44Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-anti-virus-blocks-or-allows-all/m-p/15759#M11520 <HTML><HEAD></HEAD><BODY><P>Hi Daniel,</P><P></P><P>There are a couple of actions that you can specify:</P><P>-&nbsp;&nbsp;&nbsp;&nbsp; If you set an action in the URL profile it will only take effect on the category you set the action on. So for example if you do not want people to search for another job you can set the action to block on the category job-search.</P><P>-&nbsp;&nbsp;&nbsp;&nbsp; If you set an action in the antivirus profile it will only take affect when we find a virus. If we find one we will take the action you have applied on the profile.</P><P>-&nbsp;&nbsp;&nbsp;&nbsp; If you set an action in the security policy it will take effect if the traffic matches the policy. So if you setup a policy that includes service 80 and set the action to block it will block all traffic on port 80.</P><P>-&nbsp;&nbsp;&nbsp;&nbsp; The different actions do not overrule each other. So the security policy action does not overrule the profile actions.</P><P></P><P>Hope this helps.</P><P></P><P>Marcel</P></BODY></HTML> Thu, 08 Jul 2010 17:59:52 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-anti-virus-blocks-or-allows-all/m-p/15759#M11520 mderksen 2010-07-08T17:59:52Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-anti-virus-blocks-or-allows-all/m-p/15760#M11521 <HTML><HEAD></HEAD><BODY><P>Hi Marcel,</P><P></P><P>Thanks for the reply. I believe I understand most of what you said. I do have a few more questions.</P><P></P><P>If what you say is true, then why if I have a rule that is for checking for virus's only and I set the security policy action to allow; then why does the log say that that rule is allowing traffic through instead of the rule following it?</P><P></P><P>I guess I'm coming from my old firewall's perspective. I want to create a rule for each profile I have created, have the traffic go through each rule, until it's reached the last rule and then allow the traffic to go to it's final destination.</P><P></P><P>I hope I'm making sense.</P><P></P><P>Thanks,</P><P>Daniel</P></BODY></HTML> Fri, 09 Jul 2010 16:54:17 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-anti-virus-blocks-or-allows-all/m-p/15760#M11521 numberall 2010-07-09T16:54:17Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-anti-virus-blocks-or-allows-all/m-p/15761#M11522 <HTML><HEAD></HEAD><BODY><P>Daniel,</P><P></P><P>The key to understanding the rulebase is to understand that it is always "first match". If there is a rule that matches (i.e. all the columns to the left of the action column match the traffic) that is the rule that will be used to allow or deny the traffic. Once a match is found, the action is taken. If the action is allow, any profiles applied are then used to scan the traffic. If the application changes midstream, the rulebase is rescanned with the new application to be sure that application should also be allowed. The information in the profile is not used as part of the match criteria.</P><P></P><P>Mike</P></BODY></HTML> Sat, 10 Jul 2010 01:16:55 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-anti-virus-blocks-or-allows-all/m-p/15761#M11522 mjacobsen 2010-07-10T01:16:55Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-anti-virus-blocks-or-allows-all/m-p/15762#M11523 <HTML><HEAD></HEAD><BODY><P>Hi Mike,</P><P></P><P>Your last sentence cleared it up for me.</P><P></P><P>The information in the profile is not used as part of the match criteria.</P><P></P><P>That is what was holding up my understanding of how to apply policies!</P><P></P><P>Thanks,</P><P>Daniel</P></BODY></HTML> Tue, 13 Jul 2010 19:31:15 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-for-anti-virus-blocks-or-allows-all/m-p/15762#M11523 numberall 2010-07-13T19:31:15Z