Restrict Any Any from Security Policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Restrict Any Any from Security Policy

L2 Linker

Hi There,

 

At one of our sites we fell vicitim and have the dreaded any any security policy in place. We are trying to determine the best course of action to lock it down.

 

Would I create tap firewall ports and span all the traffic, then create new rules based on it in tap zones? 

 

Any guides out them to assist for this specific situation?

4 REPLIES 4

Cyber Elite
Cyber Elite

Check Monitor tab or run reports to see what applications pass this firewall.

Create rule to permit those applications you want.

You can also create second rule for known bad above any any.

Eventually nothing should hit any any rule and you can remove it.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L2 Linker

this article looks promising: https://popravak.wordpress.com/2014/08/27/palo-alto-ngfw-use-case-one-monitoring-traffic-tap-mode/

 

It's unfortunate now i cant identify zones too easily. But I can make intelligent guesses based on source/dest ips.

Can you explain if Palo is in place and inline already as firewall or you have some legacy firewall and you want to put Palo into tap mode to listen what is going on?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Such as @Raido_Rattameister said you need to slowly start chipping away at the rule by monitoring what's actually hitting the any any rule. Eventually it will get to the point where you can delete it and use it as a learning experiance of "this is why you don't do it like this, it took me weeks to fix it". Have fun! 

 

edit: You do realize that if you put it in tap mode you can't act on the traffic right? 

  • 2069 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!