topic Re: Feature Request - Security Profile policy in General Topics

Feature Request - Security Profile policy

mgusta — Fri, 19 May 2017 09:04:08 GMT

Hi,

One thing about configuring security profiles is that when I like to change a security profile, there are so many security rules to update with the correct profile. I know I can change the profile itself and all policies using that profile will be affected but that is not always what I want. In my view it would be much better to place security profiles in their own policies - like decryption, authentication etc. Then we can add the the profile to exactly the type of traffic we want without needing to bother with what security rule that traffic hits. What do you think?

Re: Feature Request - Security Profile policy

Raido_Rattameister — Fri, 19 May 2017 11:16:59 GMT

It is easy to do in CLI.

> set cli config-output-format set

> configure

# show rulebase security | match "profile-setting group"

Copy output to Notepad.

Find and replace all old security profile names with new one.

And paste those commands back into CLI window.

# commit

Re: Feature Request - Security Profile policy

mgusta — Fri, 19 May 2017 11:49:31 GMT

Ok, thanks for the tip. That does have it´s use cases. My most recent scenario was when I wanted to try out the credential url filtering. With my suggestion all I would have had to do was add a sec. profile policy with the test user as source and apply to traffic from trust to untrust. Instead I had to create a clone of the current url filtering profile, add that to multiple (cloned, and added test user as source) security policies for traffic from trust to untrust.

Re: Feature Request - Security Profile policy

Remo — Sat, 20 May 2017 09:58:00 GMT

Hi @mgusta

I understand your point and there are definately some situations where your request could be useful. But personally I think you would also loose some granularity/visibility. For me it is better to choose per security policy rule what inspection should be applied. In addition I normally work work with security Profile groups. If I then need to test/change somethin for a specific user/group I simply clone the existing rule and add the new security profiles.
This also gives you the flexibility to apply different log forwarding profiles to specific rules. Ok this can now in PAN-OS 8 also be done with log gorwarding profile match lists but if you have a lot of specific cases for log forwarding (critical threat alerts-->snmp, traffic to sinkhole zone-->email,wildfiresubmissions to incident management-->http, ...) this will also add some complexity to the forwarding which is in some cases easier to handle with security policies with specific security profiles.

Regards,
Remo