Policy Rules order

Reply
Highlighted
L2 Linker

Policy Rules order

Hi there,

 

if we are going to the tab "Policy" we will see 7 different sub tabs. The tabs are:

 

Security

NAT

QoS

PBF

App Override

Captive Portal

DoS Protection

 

So I know for example that Security rules are always checked before NAT rules but whats about the rest? I spent planty of time google for this information but without success.

L6 Presenter

Re: Policy Rules order

Hi,

 

For the security and NAT it is will go in order. My guess for rest of the sub tabs as well. 

So security policy from top > bottom until first match. If the NAT is configured same from top > bottom. Traffic will be scanned from top>bottom for every sub tabs if configured.

 

Highlighted
L3 Networker

Re: Policy Rules order

Highlighted
L7 Applicator

Re: Policy Rules order

Do look at the packet flow process noted above. The general flow is:

 

Routing lookup -  This is needed to assign zones and know the egress interface

NAT - This occurs then to get the final ip addresses after NAT

Security policy check - now we have all the information to confirm if the flow is permitted

Deeper inspections - if permitted, we perform any deep inspections applied to the policy

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!