https://live.paloaltonetworks.com/t5/general-topics/applying-security-policies-with-security-profile-groups/m-p/30136#M22022 <HTML><HEAD></HEAD><BODY><P>Rules are applied for the direction which the session is expected to start with.</P><P></P><P>If you have something like:</P><P></P><P>rule:1</P><P>srczone: WIFI</P><P>dstzone: INTERNET</P><P>srcip: x.x.x.x/24</P><P>dstip: any</P><P>appid: web-browsing</P><P>service: TCP80</P><P>action: allow</P><P></P><P>it means that WIFI-clients will be able to do web-browsing over TCP80 towards Internet (if they (the WIFI-clients) start the session).</P><P></P><P>However if someone from INTERNET tries to initiate a session towards one of your WIFI-clients it will fail unless you allow that traffic aswell like:</P><P></P><P>rule:2</P><P>srczone: INTERNET</P><P>dstzone: WIFI</P><P>srcip: any</P><P>dstip: x.x.x.x/24</P><P>appid: web-browsing</P><P>service: TCP80</P><P>action: allow</P><P></P><P>Also note that PAN uses top-down first-match (similar to cisco acl) which means that you cannot "combine" security rules. The first security rule (from above in your rule list) which match the traffic will be used to determine if the flow should be allowed or denied.</P><P></P><P>For example something like:</P><P></P><P>rule:1</P><P>srczone: any</P><P>dstzone: any</P><P>srcip: any</P><P>dstip: any</P><P>appid: any</P><P>service: any</P><P>security: antivirus</P><P>action: allow</P><P></P><P>rule:2</P><P>srczone: WIFI</P><P>dstzone: INTERNET</P><P>srcip: x.x.x.x/24</P><P>dstip: any</P><P>appid: web-browsing</P><P>service: TCP80</P><P>action: allow</P><P></P><P>just wont work as expected (if you expect the above to do antivirus for ALL traffic and then just allow web-browsing from WIFI to INTERNET) because your WIFI to INTERNET traffic will always match rule1 and rule1 allows any protocol (including unknown) in any direction (mostly a bad idea unless you setup PAN in a new environment and need to learn how the flows goes before you setup default block and only allow whats expected to flow through your PAN).</P><P></P><P>The correct setup of above would be:</P><P></P><P>rule:1</P><P>srczone: WIFI</P><P>dstzone: INTERNET</P><P>srcip: x.x.x.x/24</P><P>dstip: any</P><P>appid: web-browsing</P><P>service: TCP80</P><P>security: antivirus</P><P>action: allow</P><P></P><P>Also note that if you dont put any last rule there is an "invisible" rule that will drop/deny the traffic.</P><P></P><P>In order to have such traffic logged you need to manually setup an any/any deny+log rule like:</P><P></P><P>rule:&lt;lastone&gt;</P><P>srczone: any</P><P>dstzone: any</P><P>srcip: any</P><P>dstip: any</P><P>appid: any</P><P>service: any</P><P>action: deny</P><P>option: log (on session end)</P><P></P><P>Log on session end is prefered because PAN will then also know transmitted volume, start/end of session, and something else I always forgets (appid?). During debug log on both session start AND session end could be nice but in a large environment will result in shitloads of logs.</P></BODY></HTML> Thu, 22 Mar 2012 22:32:59 GMT mikand 2012-03-22T22:32:59Z https://live.paloaltonetworks.com/t5/general-topics/applying-security-policies-with-security-profile-groups/m-p/30135#M22021 <HTML><HEAD></HEAD><BODY><P>Typically, are these applied on the inbound direction or outbound direction of an interface?</P><P></P><P>And if you wanted to protect an entire zone/interface would you just apply it to any source and any destination?</P><P></P><P>For example if you wanted to apply Antivirus to a interface dedicated to your Wifi access devices?</P><P></P><P>Thanks</P></BODY></HTML> Thu, 22 Mar 2012 21:42:47 GMT https://live.paloaltonetworks.com/t5/general-topics/applying-security-policies-with-security-profile-groups/m-p/30135#M22021 dkhoe 2012-03-22T21:42:47Z https://live.paloaltonetworks.com/t5/general-topics/applying-security-policies-with-security-profile-groups/m-p/30136#M22022 <HTML><HEAD></HEAD><BODY><P>Rules are applied for the direction which the session is expected to start with.</P><P></P><P>If you have something like:</P><P></P><P>rule:1</P><P>srczone: WIFI</P><P>dstzone: INTERNET</P><P>srcip: x.x.x.x/24</P><P>dstip: any</P><P>appid: web-browsing</P><P>service: TCP80</P><P>action: allow</P><P></P><P>it means that WIFI-clients will be able to do web-browsing over TCP80 towards Internet (if they (the WIFI-clients) start the session).</P><P></P><P>However if someone from INTERNET tries to initiate a session towards one of your WIFI-clients it will fail unless you allow that traffic aswell like:</P><P></P><P>rule:2</P><P>srczone: INTERNET</P><P>dstzone: WIFI</P><P>srcip: any</P><P>dstip: x.x.x.x/24</P><P>appid: web-browsing</P><P>service: TCP80</P><P>action: allow</P><P></P><P>Also note that PAN uses top-down first-match (similar to cisco acl) which means that you cannot "combine" security rules. The first security rule (from above in your rule list) which match the traffic will be used to determine if the flow should be allowed or denied.</P><P></P><P>For example something like:</P><P></P><P>rule:1</P><P>srczone: any</P><P>dstzone: any</P><P>srcip: any</P><P>dstip: any</P><P>appid: any</P><P>service: any</P><P>security: antivirus</P><P>action: allow</P><P></P><P>rule:2</P><P>srczone: WIFI</P><P>dstzone: INTERNET</P><P>srcip: x.x.x.x/24</P><P>dstip: any</P><P>appid: web-browsing</P><P>service: TCP80</P><P>action: allow</P><P></P><P>just wont work as expected (if you expect the above to do antivirus for ALL traffic and then just allow web-browsing from WIFI to INTERNET) because your WIFI to INTERNET traffic will always match rule1 and rule1 allows any protocol (including unknown) in any direction (mostly a bad idea unless you setup PAN in a new environment and need to learn how the flows goes before you setup default block and only allow whats expected to flow through your PAN).</P><P></P><P>The correct setup of above would be:</P><P></P><P>rule:1</P><P>srczone: WIFI</P><P>dstzone: INTERNET</P><P>srcip: x.x.x.x/24</P><P>dstip: any</P><P>appid: web-browsing</P><P>service: TCP80</P><P>security: antivirus</P><P>action: allow</P><P></P><P>Also note that if you dont put any last rule there is an "invisible" rule that will drop/deny the traffic.</P><P></P><P>In order to have such traffic logged you need to manually setup an any/any deny+log rule like:</P><P></P><P>rule:&lt;lastone&gt;</P><P>srczone: any</P><P>dstzone: any</P><P>srcip: any</P><P>dstip: any</P><P>appid: any</P><P>service: any</P><P>action: deny</P><P>option: log (on session end)</P><P></P><P>Log on session end is prefered because PAN will then also know transmitted volume, start/end of session, and something else I always forgets (appid?). During debug log on both session start AND session end could be nice but in a large environment will result in shitloads of logs.</P></BODY></HTML> Thu, 22 Mar 2012 22:32:59 GMT https://live.paloaltonetworks.com/t5/general-topics/applying-security-policies-with-security-profile-groups/m-p/30136#M22022 mikand 2012-03-22T22:32:59Z