This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Security Policy Granular to Address Group?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Security Policy Granular to Address Group?

catrock
L2 Linker

‎11-11-2018 02:53 PM - edited ‎11-11-2018 02:54 PM

I have a group of computers that I want to apply a different security policy with a different Security Profile to.

 

I have created 2 Security policies.

The first policy = Internet Out allow any -  Trusted Zone to Untrusted Zone with the default 'basic file blocking' Security profile.

The second policy = Internet Out allow any  - Trusted Zone with Source Address = Test_Group (specific group of computers) and a 'special file blocking' Security profile.

 

The policies don't seem to granulary apply. Meaning, the Top policy always applies to ALL Outgoing computers.

 

I recently added a Negate Source in the first policy to see if it would allow the 'special group' of computers to pass over the first policy and have the second policy apply to them.  This may have resolved my desired policy application results?

 

If not - what could I be missing?

Thanks in advance.

 

 

 

0 Likes Likes
4 REPLIES 4

Remo
L7 Applicator

‎11-11-2018 03:32 PM

Hi @catrock

 

The firewall always evaluates the policies top>down. So you need to place the more granular rule (the one with the specific source addresses) above the rule with the general access for your trust zone.

0 Likes Likes

catrock
L2 Linker
In response to Remo

‎11-19-2018 06:37 AM - edited ‎11-19-2018 06:38 AM

Thank you @Remo

 

My policy's are as such in the attached image.

catPturepl67.JPG

Should work as desired - yes?

 

0 Likes Likes

pulukas
L7 Applicator
In response to catrock

‎11-22-2018 06:26 AM

Yes, that seems to be correct.

 

What is the less strict address object?

 

And what does the session logs show for the unexpectedly permitted traffic in the details?

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

catrock
L2 Linker
In response to pulukas

‎12-07-2018 06:39 AM

Hello,

The Less_Strict_Object is a member of a Less_Strict_addy_grp that will be used to allow different secuity Profle group settings.

There is only 1 computer in this group - it is define by a single IP.  I did have the IP address (defined in the object) 'ip netmask using a CIDR (192.168.0.23/24).  I have removed the /24 from it to test further (192.168.0.23)

Specifically, I am trying to use it to allow my mac to download VMWare fusion updates that are TAR/other that I don't want other computers to be able to download.

 

BTW: the policy order still doesn't seem to be working properly.

 

0 Likes Likes
  • 2884 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks