Feature Request - Security Profile policy

Reply
L2 Linker

Feature Request - Security Profile policy

Hi,

 

One thing about configuring security profiles is that when I like to change a security profile, there are so many security rules to update with the correct profile. I know I can change the profile itself and all policies using that profile will be affected but that is not always what I want. In my view it would be much better to place security profiles in their own policies - like decryption, authentication etc. Then we can add the the profile to exactly the type of traffic we want without needing to bother with what security rule that traffic hits. What do you think?

 

 

L7 Applicator

Re: Feature Request - Security Profile policy

It is easy to do in CLI.

 

> set cli config-output-format set

> configure

# show rulebase security | match "profile-setting group"

 

Copy output to Notepad.

Find and replace all old security profile names with new one.

And paste those commands back into CLI window.

 

# commit

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L2 Linker

Re: Feature Request - Security Profile policy

Ok, thanks for the tip. That does have it´s use cases. My most recent scenario was when I wanted to try out the credential url filtering. With my suggestion all I would have had to do was add a sec. profile policy with the test user as source and apply to traffic from trust to untrust. Instead I had to create a clone of the current url filtering profile, add that to multiple (cloned, and added test user as source) security policies for traffic from trust to untrust.

L7 Applicator

Re: Feature Request - Security Profile policy

Hi @mgusta

I understand your point and there are definately some situations where your request could be useful. But personally I think you would also loose some granularity/visibility. For me it is better to choose per security policy rule what inspection should be applied. In addition I normally work work with security Profile groups. If I then need to test/change somethin for a specific user/group I simply clone the existing rule and add the new security profiles.
This also gives you the flexibility to apply different log forwarding profiles to specific rules. Ok this can now in PAN-OS 8 also be done with log gorwarding profile match lists but if you have a lot of specific cases for log forwarding (critical threat alerts-->snmp, traffic to sinkhole zone-->email,wildfiresubmissions to incident management-->http, ...) this will also add some complexity to the forwarding which is in some cases easier to handle with security policies with specific security profiles.

Regards,
Remo
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!