Security Policy Best Practice

L2 Linker

Security Policy Best Practice

Hello all,

I've read multiple documents from PA and read some on the forums here, but cannot find anything definitive on this.


What I'm trying to find out is what is the best practice/most effective way to configure a Security Policy for filtering. I understand there are several ways to do this, but I've found that the way I've been doing it doesn't always seem to work the best. Are there any issues with the following config?


Create a Security Policy and set the Action to Allow. Set a URL Filtering Profile. Create a Custom URL Category for Allowed URLs. Create a Custom URL Category for Denied URLs. Apply these Custom URL Categories inside the URL Filtering Profile. Set other categories to Deny within the URL Filtering Profile.


If I were to set the Action for a Security Policy to Deny, does that Deny all traffic that matches?


Any advice will be very helpful. Thanks.

Community Manager

Re: Security Policy Best Practice

The action of the security policy works at the network layer, so it interrupts a flow of packets, whereas a security profile interacts with layer7, so a url blocking profile will throw up a blocked page instead of the actual webpage, from the network layer perspective the traffic will act normally


A 'block' security policy will never use security profiles as the packets are blocked before that rule would engage security profiles

Your rule needs to be allow, and with your profiles set, only the allowed custom category urls will be allowed and all others will create block pages for the users



There is an in-between solution, where you apply a custom URL category in the 'services' of the security policy

This works as a sort of ip-lookup and only allow/deny traffic  for the "ips" that match the urls in your custom category



Help the community: Like helpful comments and mark solutions
Reaper out
L4 Transporter

Re: Security Policy Best Practice

Thanks for great explanation.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!