Clarification on how PA process Security profile with applied Service/URL Category

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Clarification on how PA process Security profile with applied Service/URL Category

L0 Member

Hi All,

 

I have a quick question and hopefully someone can help me understand how security profile is processed by PA.

 

I understand that security profile is processed from left to right, then top to bottom. My question is, does all criteria need to match so that the traffic will match the rule? Is the logic used by PA is AND or OR?

 

  1. Source and destination address
  2. Source ports and destination ports
  3. Applications
  4. User-ID
  5. URL category
  6. Source and destination zones

 

 

1 REPLY 1

L5 Sessionator

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

 

This explains how PAN device handles packet and each feature works.

At beginning of section 3, it says...

A  firewall session consists of two unidirectional flows, each uniquely identified. In PAN-OS ’s implementation, the firewall identifies the flow using a 6-tuple key:
  • Source and destination addresses: IP addresses from the IP packet. 
  • Source and destination ports:  Port numbers from TCP/UDP protocol headers.  For non-TCP/UDP, different  protocol  fields are used (e.g. for ICMP the ICMP identifier and sequence numbers are used, for IPSec terminating on device the Security Parameter Index (SPI) is used, and for unknown, a constant reserved value is used to skip Layer-4 match).
  • Protocol: The IP protocol number from the IP header is used to derive the flow key .  
  • Security zone: This field is derived from the ingress interface at which a packet arrives.

 

Other elements you are listing are used after few more packets are traversed.

Hope this helps you.

  • 542 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!