topic Re: Security Policy Application in General Topics

Security Policy Application

GCSS-RT — Mon, 25 Feb 2019 20:33:45 GMT

Hello everyone,

I'm hoping someone can help me understand why a security policy is not applying the way I thought it should. Here's what I have:

I have each of our schools configured on different DHCP scopes. I then created an Address Object using slash notation for each of those DHCP scopes on the PAN. I then created a security policy per address object (per school building) and added the slash-notated address object as the source address.

The question I have is this...shouldn't this security policy apply to EVERY device that grabs an IP address from within the slash-notated network I created and designated as the source address in the security policy no matter if there is a username associated to the device or not?

Re: Security Policy Application

BPry — Tue, 26 Feb 2019 01:58:58 GMT

@GCSS-RT

You'd have to actually post the policy to see what the exact issue is. If you utilize 10.10.0.0/16 for example as a source-address that part of the policy will match 10.10.*.*, however depending on the rest of your policy it doesn't mean that every session would match this policy.

Re: Security Policy Application

Abdul_Razaq — Tue, 26 Feb 2019 07:11:23 GMT

Hi @GCSS-RT ,

like @BPry mentioned, it depends on your policy, as all the column other than action in the security is AND condition, if everything matches only, the security rule will be applied. if your rule is not user based(ie user any), it will hit this policy provided all other AND conditions are also mathed.

Re: Security Policy Application

GCSS-RT — Tue, 26 Feb 2019 12:49:26 GMT

I think I'm following what you guys are saying. The only settings I have in the policy are as follows:

Source Tab:

trust source zone

IP range as source address

Destination Tab:

untrust destination zone

Actions Tab:

Allow action

appropriate profiles applied under the Profile Settings section

everything else is set to "any" or the default setting.

Does this info help?

Re: Security Policy Application

Abdul_Razaq — Tue, 26 Feb 2019 13:00:44 GMT

Hi @GCSS-RT ,

As you have granularity only in IP range, rest set to any/default, all your traffic from those IP travelling through matched zones will hit same policy regardless of user.

Re: Security Policy Application

GCSS-RT — Tue, 26 Feb 2019 12:58:18 GMT

Reset the zone settings to any/default?

Re: Security Policy Application

Abdul_Razaq — Tue, 26 Feb 2019 13:04:31 GMT

Hi @GCSS-RT ,

Hope it is queries, are you facing any issue?,

The packet flow in PA will be like,

initial packet process, the source ip/user info, then destination zone via PBF/forwarding,
Then NAT policy evaluated (not applied)
then it checks for security policy

So you need to have source and destination zones anyway.

Re: Security Policy Application

BPry — Tue, 26 Feb 2019 14:00:12 GMT

Hold the boat there @Abdul_Razaq; I wouldn't recommend someone setup a policy that is just going to allow any traffic even for testing purposes as that runs the risk of having very big implications on the rest of their policy base depending on how their firewall is configured.

@GCSS-RT can you share the actual screenshot, cli output, or XML of the entry that you are having a problem with? If the policy is as you stated I would expect any traffic from your source IP Range to the untrust zone to be allowed per this policy. You'd also want to verify that the traffic you expect to be hitting this rule is being sourced from the trust zone and is actually destined to your untrust zone.

Re: Security Policy Application

GCSS-RT — Tue, 26 Feb 2019 14:44:18 GMT

Here's the CLI output for this security policy. Let me know what else I can supply that might help.

set rulebase security rules "EES Network" from trust
set rulebase security rules "EES Network" to untrust
set rulebase security rules "EES Network" source Network_EES
set rulebase security rules "EES Network" destination any
set rulebase security rules "EES Network" service any
set rulebase security rules "EES Network" application any
set rulebase security rules "EES Network" action allow
set rulebase security rules "EES Network" log-end yes
set rulebase security rules "EES Network" source-user any
set rulebase security rules "EES Network" category any
set rulebase security rules "EES Network" hip-profiles any
set rulebase security rules "EES Network" disabled no
set rulebase security rules "EES Network" log-start yes
set rulebase security rules "EES Network" profile-setting profiles url-filtering EESNetwork-Filtering-Profile
set rulebase security rules "EES Network" profile-setting profiles virus ANTIVIRUS
set rulebase security rules "EES Network" profile-setting profiles spyware SPYWARE
set rulebase security rules "EES Network" profile-setting profiles vulnerability VULNERABILITY

Re: Security Policy Application

BPry — Tue, 26 Feb 2019 14:49:06 GMT

@GCSS-RT ,

So I would fully expect that the capture any traffic from trust to untrust for anything within that Network_ESS object entry with how you've configured the security policy. If it isn't here's what I would look at:

1) Does the address object 'Network_EES' actually match what you are expecting. Sometimes you'll believe that the address object should be 192.168.0.0/16 and the person who entered it may have fat fingered the IP address.

2) Looking at the logs that don't hit this security policy, verify that the zones listed are what you expect and the traffic isn't taking an unexpected route.

Re: Security Policy Application

Chacko42 — Tue, 26 Feb 2019 14:53:25 GMT

@GCSS-RT And check in the unified log, if the connections are dropped by one of your Security profiles