topic Re: What is policy order inspection on Palo alto? in General Topics

What is policy order inspection on Palo alto?

el — Wed, 19 Sep 2012 15:14:12 GMT

Hi All,

in policy tab there are a few policy like security, NAT, Qos, PBF, Decryption, Application override, captive portal and DOS protection. my question is what is policy order inspection on Palo alto.which policy palo alto will look first?

thanks

Indra

Re: What is policy order inspection on Palo alto?

essnet — Wed, 19 Sep 2012 15:19:57 GMT

my guess :

1 - PBF because PBF can change destination Zone/internface

2 - NAT for same reasons

3 - App override because Security policy can rely on it

4 - CP

5 - Security (finally

6 - Decryption

Note that some layers are so connected, I wouldn't be surprised to know that they depend on each other.

Re: What is policy order inspection on Palo alto?

ExclusiveNetworksGermany — Wed, 19 Sep 2012 16:13:00 GMT

1 PBF

2 NAT Precheck (if we have to NAT later)

3 Decryption

4 App Override

5 CP (not 100% sure that CP is at this stage)

6 Security

7 NAT applied

Kind regards

Marco

Re: What is policy order inspection on Palo alto?

sdurga — Wed, 19 Sep 2012 16:24:16 GMT

https://live.paloaltonetworks.com/docs/DOC-1628

Re: What is policy order inspection on Palo alto?

sdurga — Thu, 20 Sep 2012 06:06:02 GMT

So from the Packet life document we can summarize this as

1)PBF

2)Regular Routing table

3)Nat policy evaluation to determine egress zone ( not actual nat is happening in this stage)

4)Security policy (captive portal depends on the security policy)

5)Nat translation (conversion of the addresses)

6)Ssl decryption

7)App override

8)Second security policy match to block traffic beasd on applications.

9)Qos on the egress interface.

Security look up is done twice one before app identification and another app identification.

Re: What is policy order inspection on Palo alto?

el — Thu, 20 Sep 2012 12:46:44 GMT

HI All

why app override order after security policy? if i'm not wrong, with app override will bypass app id engine. if security come first mean will check till app layer please correct me if im wrong then where is DOS proection when fw will inspect? btw for every policy available we always must to create security policy?

ex. i want to create DOS protection policy so mean need to create on DOS policy and also on security policy, etc. if got any document that can make me easily to understand it would be good, for packet flow documentation its not really clear for me.

thanks

Indra Elkim

Re: What is policy order inspection on Palo alto?

ppatel — Thu, 20 Sep 2012 23:09:37 GMT

Hi Indra,

As mentioned before the security policy are processed 2 times, one before the application inspection and one after the application inspection. So after we process the security rule for the first time it goes and check the application over-ride rule

Same should be the case of DOS protection policies.

For example, if you want to create an application over-ride rule from source zone :-Trust to Destination zone:-Untrust , you still have to create a security policy for the traffic and sessions from Trust to untrust zone. DOS rules also works the same way.

Just make sure, Security policy is used to govern traffic within the security zones except the fact that PBF,regular routing table takes precedence .

Let me know if that helps.

Regards

Parth