topic Re: Usage of Security Policy in Palo Alto Firewall in General Topics

Usage of Security Policy in Palo Alto Firewall

harshaabba — Sat, 25 Feb 2017 00:23:29 GMT

hi All,

I am bit confuse of the usage of rule no 2 and 3. Eventually they will deny the traffic. But which two benefits are gained from having both rule 2 and rule 3 presents? Any clarification please.

A.   A report can be created that identifies unclassified traffic on the network.
B.   Different security profiles can be applied to traffic matching rules 2 and 3.
C.   Rule 2 and 3 apply to traffic on different ports.
D.   Separate Log Forwarding profiles can be applied to rules 2 and 3.

Re: Usage of Security Policy in Palo Alto Firewall

bradk14 — Sat, 25 Feb 2017 12:28:43 GMT

I'll go out on a limb and attempt an answer and hopefully someone will correct me if I'm wrong, so take this with a grain of salt:

A. A report can be created that identifies unclassified traffic on the network.

Based on the rules, an app is going to fall under either: Known Good, Known Bad or 'any' which would fall under being unclassified. For example, if Twitter is in neither of those two object groups, then it is unclassified and you can run a report showing that it was attempted to be accessed based on rule #3 being hit (or more simply, just apply a filter in the traffic log).

B. Different security profiles can be applied to traffic matching rules 2 and 3.

While this is technically true, security profiles are only processed if the policy action is allow, so they will have no effect here. (i.e., it would be a waste of resources to run threat prevention against a session that won't be allowed anyway).

C. Rule 2 and 3 apply to traffic on different ports.

As both apply to all ('any') ports, this would not make sense.

D. Separate Log Forwarding profiles can be applied to rules 2 and 3.

As with B, this is true as well. Only in this case, it will be applied, so you can choose where the results of either policy will be forwarded to.

Therefore my answer would be A & D.

Re: Usage of Security Policy in Palo Alto Firewall

BenjAudy.MTL — Sat, 25 Feb 2017 16:17:16 GMT

@bradk14 I concur!

Benjamin

Re: Usage of Security Policy in Palo Alto Firewall

harshaabba — Sun, 26 Feb 2017 02:11:26 GMT

Thanks a lot mate for the great explanation

@bradk14 wrote:
I'll go out on a limb and attempt an answer and hopefully someone will correct me if I'm wrong, so take this with a grain of salt:

A.   A report can be created that identifies unclassified traffic on the network.
Based on the rules, an app is going to fall under either: Known Good, Known Bad or 'any' which would fall under being unclassified. For example, if Twitter is in neither of those two object groups, then it is unclassified and you can run a report showing that it was attempted to be accessed based on rule #3 being hit (or more simply, just apply a filter in the traffic log).

B.   Different security profiles can be applied to traffic matching rules 2 and 3.
While this is technically true, security profiles are only processed if the policy action is allow, so they will have no effect here. (i.e., it would be a waste of resources to run threat prevention against a session that won't be allowed anyway).

C.   Rule 2 and 3 apply to traffic on different ports.
As both apply to all ('any') ports, this would not make sense.

D.   Separate Log Forwarding profiles can be applied to rules 2 and 3.
As with B, this is true as well. Only in this case, it will be applied, so you can choose where the results of either policy will be forwarded to.

Therefore my answer would be A & D.

Thanks a lot mate for the great explanation.

Re: Usage of Security Policy in Palo Alto Firewall

gtomte — Sun, 26 Feb 2017 14:15:16 GMT

The setup you see here, is used for port to App-ID migration. Customer migrating from other firewalls, port based, to Palo Alto Networks, will typically be done with no policy changes as the first step. Then App-ID adoption is the next step.

Other customers start from scratch, building an App-ID based ruleset from day 1. Then the 3 policy lines you see will be used. The last rule you could call a "clean up rule". Everything that are to match that rule, are for you to move into one of the two above. Me personally would have moved the known bad to the top. When you've cleaned up things, after verifying for days or weeks, depends on you gut feeling, and when you see close to nothing in the last rule, you could just disable/delete the any rule. Then you've created a Application based White List ruleset. And that's what Palo Alto Networks is all about, bringing back the default action of the firewall, by doing what the intention of the firewall has always been, to control what you allow.