Policy Rules order

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Policy Rules order

L2 Linker

Hi there,

 

if we are going to the tab "Policy" we will see 7 different sub tabs. The tabs are:

 

Security

NAT

QoS

PBF

App Override

Captive Portal

DoS Protection

 

So I know for example that Security rules are always checked before NAT rules but whats about the rest? I spent planty of time google for this information but without success.

3 REPLIES 3

L6 Presenter

Hi,

 

For the security and NAT it is will go in order. My guess for rest of the sub tabs as well. 

So security policy from top > bottom until first match. If the NAT is configured same from top > bottom. Traffic will be scanned from top>bottom for every sub tabs if configured.

 

L7 Applicator

Do look at the packet flow process noted above. The general flow is:

 

Routing lookup -  This is needed to assign zones and know the egress interface

NAT - This occurs then to get the final ip addresses after NAT

Security policy check - now we have all the information to confirm if the flow is permitted

Deeper inspections - if permitted, we perform any deep inspections applied to the policy

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2472 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!