As it stands m firewall looks at rules in a sequential sense and applies rules in that way.
meaning if it reaches a Deny it will immediately cancel a packet (which isn't necessarily bad) but it also means if a rule permits a user to do something interferes with another that denies him something - the user will get access to things they shouldn't.
My question here is can I make rules that follow the logic of "if ___ then ___" instead of the traditional "when__ do___"
Hi @TPalo2809 ,
Yes you can write more granular security policy which will allow only specific traffic request based on the allowed parameters. Now to achieve it, only keeping Source/Dest IP addresses and services based policies won’t help.
You would need to use different features of palo alto firewalls like USER-ID agent, security profiles like URL filtering, Vulnerability/Anti-Spyware profiles, Data Filtering etc. Such Security Profiles helps to allow only specific traffic and also it blocks traffic if any of threat pattern is observed. With USER-ID agent, you can also add user-id based policy where source user will be checked and then it will allow/deny based on the policy action. Palo Alto App-ID helps you to leverage behavioral characteristics and decide to allow/restrict if exact application is not identified.
The best thing about all these features is it gets updated automatically on the palo alto update server. We just need to configure our firewall to download the updated version and install same.
So by leveraging all such features, you can define strict policy set to achieve your requirement. To get more clarity, you can refer this article.
Hope it helps!
The policy sequence already kind of does “if then”...
if match policy 1 then do... if not then next policy...
i would be more granular on your allow as per @SutareMayur and only allow those intended..
if this is not possible then move your more specific deny policy above the allow...
that is why we have policy numbering and the ability to move them up or down...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!