04-24-2026 01:49 AM
Hi everyone,
I’m new to the **Palo Alto Networks community and currently learning my way around firewall policy design and general architecture concepts.
Right now I’m trying to better understand how experienced engineers approach things like:
I’m still at the learning stage, so I’m focusing on building good habits early rather than just making things work.
If anyone has advice, common mistakes to avoid, or recommended learning paths, I’d really appreciate it.
Looking forward to learning from the community and gradually improving my understanding.
Thanks in advance!
04-25-2026 06:21 PM - edited 04-25-2026 06:29 PM
Hi @hellencharless54 ,
I love your focus on "building good habits"! Let me share what works for me:
"structuring security policies in a clean and scalable way"
I like to group similar rules together: inbound, DMZ, outbound, etc. That works for me. The Day 1 Configuration even has tags for Inbound, Outbound, Internal, etc. These tags make the grouping easy. You could even use the Group Rules By Tag field and the Rulebase By Groups option on the bottom to view only sections of the security policy at a time.
Use a whitelist (only allow specific traffic) whenever possible, but for outbound traffic an allow all rule coupled with a blacklist is more manageable. An outbound whitelist can be done for critical assets.
"balancing simplicity vs. granularity in rule design"
The security policy rule should be specific enough to allow only the desired traffic. If you want to allow SQL traffic to MS SQL servers, you should include the destination zone, destination objects, mssql-db application, and application-default service as a minimum. You could also include source zones, subnets, or even users if you have User-ID. A more specific rule is more secure.
Here are some other rules I have for rules:
'avoiding “rule sprawl” in growing environments'
This is a great place to start. https://docs.paloaltonetworks.com/best-practices
Some good sections for you are "Security Policy Best Practices," "Internet Gateway Best Practice Security Policy," and "Data Center Best Practice Security Policy." There is even a section on "avoiding rulebase bloat" under Security Policy Best Practices > Security Policy Rulebase Best Practices. If much of the configuration matches in separate rules, it may be good to combine them.
"and best practices for maintaining visibility without overcomplicating configs"
Every rule should have logging configured unless there is a specific reason not to log. If you create a Log Forwarding profile named "default", it will be automatically added to a new rule. The Day 1 Configuration has this group.
Every allow rule should have a security profile configured. If you create a Security Profile Group named "default", it will be automatically added to a new rule. The Day 1 Configuration has this group.
When you configure a new NGFW, start with the Day 1 Configuration. You will find it on the CSP portal under Products > Assets with the icons.
Run a BPA on your NGFW for additional recommendations. I generally agree with 1/2 of the recommendations. Know your own security policy, and which ones make sense to you. Instructions for the BPA can be found on the Best Practices page.
Once you have built new habits, they are easier to maintain.
Thanks,
Tom
Edit: @kiwi 's comments to your other post are great! I added a few there also. https://live.paloaltonetworks.com/t5/general-topics/beginner-question-best-way-to-structure-policy-d...
04-25-2026 06:58 PM
Hi @hellencharless54 ,
"recommended learning paths"
It's free!
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
