Default Outbound Security Policy

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
rjdahav163
L3 Networker

Default Outbound Security Policy

Hi Guys,

 

We are setting up a office and PA firewall is used as the internet gateway.

The employees will mostly browse the web and use meeting applications like MS Teams etc.

We want to have a generic outbound security policy for the employees for access to internet.

We would like to have that rule application based (IF POSSIBLE)

So I tried adding "web-browsing" and "ssl" in the rule but that was not sufficient. Many things got blocked.

So I switched to Port 80 and 443 and most of the things are looking better.

However, is there a best practice for a default outbound rule with several applications? Else, I'll need to allow everything and then based on logs add certain applications and ports.

NOTE: I have implemented URL Filtering and other security profiles to that security rule. I am only concerned about what applications and/or ports should be used in this default outbound rule as matching criteria.

Thanks!

Johndbabio1
L1 Bithead

Based on everything I have read so far applications are the best way to approach ruleset. Due to other applications that can used port 80 and 443 out that shouldn't be getting out. What I would do is create custom rules for a test node (src IP) and watch the applications that go out to make sure you get it right. Also the ACC tab under application usage should give you a good list of apps running on the network.

ximatan
L0 Member

For anyone who wants to connect to the internet, a router is an essential device. As numerous people use routers worldwide, there has to be some identification for each router to help with configuration and troubleshooting. A number called IP address is the identification factor for routers. 192.168.1.1

SutareMayur
L6 Presenter

Hi @rjdahav163 ,

 

It always better to have APP-ID based security polices instead of Port based. And if you really don't know which App-id should be allowed, you can monitor traffic with port based policies and see the traffic patterns under ACC team. It will give you more clarity. There is one more way to identify same i.e. Policy Optimizer. With this, you can see what all App-ids were seen in the traffic in each specific policy. You can refer below article to get the clarity.

 

https://docs.paloaltonetworks.com/best-practices/9-0/best-practices-for-migrating-to-application-bas...

 

Hope it helps!

Mayur S.
MP18
Cyber Elite

@rjdahav163 

 

Which PAN OS version you are running?

IF you are running PAN OS 9.0 it will show you the applications used on the port based rule.

Then you can clone the app based rule above the port based rule and reset the hit counter on port based rule and monitor if traffic still

hits the port based rule or not?

 

This way you can have app based rules.

 

Regards

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!