https://live.paloaltonetworks.com/t5/general-topics/security-policy-granular-to-address-group/m-p/239437#M68567 <P>I have a group of computers that I want to apply a different security policy with a different Security Profile to.</P><P>&nbsp;</P><P>I have created 2 Security policies.</P><P>The first policy = Internet Out allow any -&nbsp; Trusted Zone to Untrusted Zone with the default 'basic file blocking' <EM>Security profile</EM>.</P><P>The second policy = Internet Out allow any&nbsp; - Trusted Zone with Source Address = Test_Group (specific group of computers) and a 'special file blocking' <EM>Security profile.</EM></P><P>&nbsp;</P><P>The policies don't seem to granulary apply. Meaning, the Top policy always applies to ALL Outgoing computers.</P><P>&nbsp;</P><P>I recently added a Negate Source in the first policy to see if it would allow the 'special group' of computers to pass over the first policy and have the second policy apply to them.&nbsp; This may have resolved my desired policy application results?</P><P>&nbsp;</P><P>If not - what could I be missing?</P><P>Thanks in advance.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 11 Nov 2018 22:54:52 GMT catrock 2018-11-11T22:54:52Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-granular-to-address-group/m-p/239437#M68567 <P>I have a group of computers that I want to apply a different security policy with a different Security Profile to.</P><P>&nbsp;</P><P>I have created 2 Security policies.</P><P>The first policy = Internet Out allow any -&nbsp; Trusted Zone to Untrusted Zone with the default 'basic file blocking' <EM>Security profile</EM>.</P><P>The second policy = Internet Out allow any&nbsp; - Trusted Zone with Source Address = Test_Group (specific group of computers) and a 'special file blocking' <EM>Security profile.</EM></P><P>&nbsp;</P><P>The policies don't seem to granulary apply. Meaning, the Top policy always applies to ALL Outgoing computers.</P><P>&nbsp;</P><P>I recently added a Negate Source in the first policy to see if it would allow the 'special group' of computers to pass over the first policy and have the second policy apply to them.&nbsp; This may have resolved my desired policy application results?</P><P>&nbsp;</P><P>If not - what could I be missing?</P><P>Thanks in advance.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 11 Nov 2018 22:54:52 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-granular-to-address-group/m-p/239437#M68567 catrock 2018-11-11T22:54:52Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-granular-to-address-group/m-p/239445#M68568 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/98907">@catrock</a></P><P>&nbsp;</P><P>The firewall always evaluates the policies top&gt;down. So you need to place the more granular rule (the one with the specific source addresses) above the rule with the general access for your trust zone.</P> Sun, 11 Nov 2018 23:32:17 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-granular-to-address-group/m-p/239445#M68568 Remo 2018-11-11T23:32:17Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-granular-to-address-group/m-p/240327#M68872 <P>Thank you <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a></P><P>&nbsp;</P><P>My policy's are as such in the attached image.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="catPturepl67.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17579i623A6E8B5450CDDD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="catPturepl67.JPG" alt="catPturepl67.JPG" /></span></P><P>Should work as desired - yes?</P><P>&nbsp;</P> Mon, 19 Nov 2018 14:38:24 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-granular-to-address-group/m-p/240327#M68872 catrock 2018-11-19T14:38:24Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-granular-to-address-group/m-p/240861#M68987 <P>Yes, that seems to be correct.</P><P>&nbsp;</P><P>What is the less strict address object?</P><P>&nbsp;</P><P>And what does the session logs show for the unexpectedly permitted traffic in the details?</P><P>&nbsp;</P> Thu, 22 Nov 2018 14:26:01 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-granular-to-address-group/m-p/240861#M68987 pulukas 2018-11-22T14:26:01Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-granular-to-address-group/m-p/242509#M69367 <P>Hello,</P><P>The Less_Strict_Object is a member of a Less_Strict_addy_grp that will be used to allow different secuity Profle group settings.</P><P>There is only 1 computer in this group - it is define by a single IP.&nbsp; I did have the IP address (defined in the object) 'ip netmask using a CIDR (192.168.0.23/24).&nbsp; I have removed the /24 from it to test further (192.168.0.23)</P><P>Specifically, I am trying to use it to allow my mac to download VMWare fusion updates that are TAR/other that I don't want other computers to be able to download.</P><P>&nbsp;</P><P>BTW: the policy order still doesn't seem to be working properly.</P><P>&nbsp;</P> Fri, 07 Dec 2018 14:39:14 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-granular-to-address-group/m-p/242509#M69367 catrock 2018-12-07T14:39:14Z