This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Feature Request - Security Profile policy

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Feature Request - Security Profile policy

mgusta
L2 Linker

‎05-19-2017 02:03 AM - edited ‎05-19-2017 02:04 AM

Hi,

 

One thing about configuring security profiles is that when I like to change a security profile, there are so many security rules to update with the correct profile. I know I can change the profile itself and all policies using that profile will be affected but that is not always what I want. In my view it would be much better to place security profiles in their own policies - like decryption, authentication etc. Then we can add the the profile to exactly the type of traffic we want without needing to bother with what security rule that traffic hits. What do you think?

 

 

0 Likes Likes
3 REPLIES 3

Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-19-2017 04:16 AM

It is easy to do in CLI.

 

> set cli config-output-format set

> configure

# show rulebase security | match "profile-setting group"

 

Copy output to Notepad.

Find and replace all old security profile names with new one.

And paste those commands back into CLI window.

 

# commit

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

mgusta
L2 Linker
In response to Raido_Rattameister

‎05-19-2017 04:49 AM

Ok, thanks for the tip. That does have it´s use cases. My most recent scenario was when I wanted to try out the credential url filtering. With my suggestion all I would have had to do was add a sec. profile policy with the test user as source and apply to traffic from trust to untrust. Instead I had to create a clone of the current url filtering profile, add that to multiple (cloned, and added test user as source) security policies for traffic from trust to untrust.

0 Likes Likes

Remo
L7 Applicator
In response to mgusta

‎05-20-2017 02:58 AM

Hi @mgusta

I understand your point and there are definately some situations where your request could be useful. But personally I think you would also loose some granularity/visibility. For me it is better to choose per security policy rule what inspection should be applied. In addition I normally work work with security Profile groups. If I then need to test/change somethin for a specific user/group I simply clone the existing rule and add the new security profiles.
This also gives you the flexibility to apply different log forwarding profiles to specific rules. Ok this can now in PAN-OS 8 also be done with log gorwarding profile match lists but if you have a lot of specific cases for log forwarding (critical threat alerts-->snmp, traffic to sinkhole zone-->email,wildfiresubmissions to incident management-->http, ...) this will also add some complexity to the forwarding which is in some cases easier to handle with security policies with specific security profiles.

Regards,
Remo
0 Likes Likes
  • 3312 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks