Security Policies - Terminology

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Security Policies - Terminology

Not applicable

I am coming from a Checkpoint environment and I am struggling with some of the terminology. I see a number of references in the Getting Started and the Administrator's guides to "Security Policies". To me this implies that I can create a number of policies but it looks like in fact there is only one policy per box and the policy has multiple rules.  Am I missing something? Can you create, save and later apply different policies with distinct sets of rules? 

Thanks,

Jim

1 accepted solution

Accepted Solutions

L4 Transporter

Hello,

If all you're trying to do is to save distinct rulebase configurations, first save the current configuration then make whatever rulebase changes required and save the new configuration. Load this new config to the device as/when needed.

You can save the configuration under Device tab-->Setup-->Operations--->save config snapshot.

Hope that helps,

Aditi

View solution in original post

8 REPLIES 8

L5 Sessionator

Hi Jim,

Welcome in PaloWorld 🙂

Security policy is like in all firewall, a rule which, based criteriun (source / Dest + User laptop profile ) allow or block your traffic

Security profile are type of analyse (antivirus, spyware, malware ..)  that you will apply on allowed traffic.

Make sense ?

v.

L5 Sessionator

Look this doc, it's a good document for starting with palo: https://live.paloaltonetworks.com/docs/DOC-4214

Not applicable

Vince,

   Thanks.I have read the Getting Started Guide but I am still confused. is it accurate that there is only one security policy or can you create, save and later apply different policies with distinct sets of rules? I was thinking that for instance on the Policies tab I could create and name multiple policies but it looks like the + button is the only add and it is to add rules not new overall policies. Again sorry if this is not making sense as it comes from a different perspective.

thanks,

Jim

Maybe I don't understand what you are calling overall policies ..

If you try to find like policy separator, it doesn't exist in palo, in palo, it's done throught tags and use the research bar (on top) for showing only rule you want.

v.

L4 Transporter

Each policy rule is a separate, individual policy. There is no way to group rules together under a singular policy. They are like individual ACLs. They are recognized in the order that they are organized,  all traffic that is coming from the source zone to the destination zone is inspected to see if it matches the rule. As Vince said, there are "security profiles" that are created in the objects tab that can be grouped using "security profile groups" and attached to the policy rules but they are part of the policy rule.

The following DOC may help you understand:

https://live.paloaltonetworks.com/docs/DOC-1628

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

L4 Transporter

Hello,

If all you're trying to do is to save distinct rulebase configurations, first save the current configuration then make whatever rulebase changes required and save the new configuration. Load this new config to the device as/when needed.

You can save the configuration under Device tab-->Setup-->Operations--->save config snapshot.

Hope that helps,

Aditi

Thanks. That's what I was looking for. I appreciate everyone's input.

Jim

  • 1 accepted solution
  • 3134 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!