Default Outbound Security Policy

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Default Outbound Security Policy

L3 Networker

Hi Guys,


We are setting up a office and PA firewall is used as the internet gateway.

The employees will mostly browse the web and use meeting applications like MS Teams etc.

We want to have a generic outbound security policy for the employees for access to internet.

We would like to have that rule application based (IF POSSIBLE)

So I tried adding "web-browsing" and "ssl" in the rule but that was not sufficient. Many things got blocked.

So I switched to Port 80 and 443 and most of the things are looking better.

However, is there a best practice for a default outbound rule with several applications? Else, I'll need to allow everything and then based on logs add certain applications and ports.

NOTE: I have implemented URL Filtering and other security profiles to that security rule. I am only concerned about what applications and/or ports should be used in this default outbound rule as matching criteria.



L2 Linker

Based on everything I have read so far applications are the best way to approach ruleset. Due to other applications that can used port 80 and 443 out that shouldn't be getting out. What I would do is create custom rules for a test node (src IP) and watch the applications that go out to make sure you get it right. Also the ACC tab under application usage should give you a good list of apps running on the network.

Cyber Elite
Cyber Elite

Hi @rjdahav163 ,


It always better to have APP-ID based security polices instead of Port based. And if you really don't know which App-id should be allowed, you can monitor traffic with port based policies and see the traffic patterns under ACC team. It will give you more clarity. There is one more way to identify same i.e. Policy Optimizer. With this, you can see what all App-ids were seen in the traffic in each specific policy. You can refer below article to get the clarity.


Hope it helps!




Which PAN OS version you are running?

IF you are running PAN OS 9.0 it will show you the applications used on the port based rule.

Then you can clone the app based rule above the port based rule and reset the hit counter on port based rule and monitor if traffic still

hits the port based rule or not?


This way you can have app based rules.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!