- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-01-2023 07:07 AM
Hi!
I have a pretty basic question that I couldn't find the answer to - am hoping that someone could help me understand this.
Let's say I have a security rule:
Rule 1: src=192.168.1.0/24, Dst=192.168.2.0/24, Svc=Any, Action=Allow, Security Profile=Antivirus, URL Filter (which blocks Gambling sites)
Rule 2: src=192.168.1.100, Dst=192.168.2.100, Svc=https, Action=Allow, no security profiles associated
Rule 3: Any-Any-Any Drop
Would Rule 2 ever get hit at all?
I was thinking that traffic from 192.168.1.100 to 192.168.2.100 with no URL info would still hit Rule 2, but maybe my understanding is wrong?
In addition, I'm a little confused about what Action=Allow or Action=Deny does, when URL filters are configured.
If you have a rule with Action=Allow and URL filtering blocking Gambling sites, and another rule with Action=Deny, same src/dst and URL filtering also blocking Gambling sites, what is the difference between the behavior of these 2 rules?
Thanks!
06-01-2023 09:49 AM
Hello,
The Palo Alto reads policies from top down then left to right. What this means is that all the configured options have to match before the firewall takes action. Once it takes action, it stops evaluating all other policies on that specific traffic. So based on your policies, if 192.168.2.100 is a gambling site, then no it will not be hit/used as the above policy would be hit first. If that IP is not a gambling site, then it is possible that the second policy could get hit/used.
As for the actions:
Hope this helps!
06-01-2023 11:00 AM - edited 06-01-2023 11:02 AM
Thank you!
So just to be sure - let's say I have https traffic going from 192.168.1.100 to 192.168.2.100 (and 192.168.2.100 is NOT a gambling site), it would not hit the 1st rule, but would hit the 2nd rule. And if the 2nd rule did not exist, then this traffic would have been dropped by the last rule. Correct?
And for the 2nd part of my query, allow me to clarify: I was asking about the Action on the rule itself, not the action within the URL filtering profile.
If you have a rule with Action=Allow (this is the rule action, not on the profile) and URL filtering blocking Gambling sites, and another rule with Action=Deny (this is the rule action, not on the profile), same src/dst and URL filtering also blocking Gambling sites, what is the difference between the behavior of these 2 rules?
Like, how does the action on the rule itself play along with the URL filtering profile?
e.g.
Rule has action=allow, URL filtering is blocking only gambling sites.
Rule has action=drop, URL filtering is blocking only gambling sites.
What would be the expected behavior for the 2 scenarios above?
Thanks!
(Oh and if you could point me to the reference docs that talks about these scenarios in detail, I would be most happy!)
06-01-2023 11:12 AM
Hello,
The one thing I forgot to ask was is if the URL filter in the first policy only Gambling sites? If yes, then it would hit the second rule and if the second rule did not exist, it would hit the DENY ALL rule. If you have other URL categories as allowed, then the first rule would be hit if the site is not a gambling site.
As for the second question. If you have URL filtering and some categories are denied but the overall policy is Allow, the any traffic that goes to any of the URL's that are blocked, will be blocked and the rest will be allowed. example: xxx.com is blocked and google.com is allowed via URL filters and the policy is set to Allow.
Hope that makes sense.
06-01-2023 11:15 AM
Here are a few links:
Security policy fundamentals
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0
URL filtering implementation and troubleshooting
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRZCA0
06-01-2023 11:20 AM
Thank you so much!! U have been extremely helpful.
In relation to your reply to the 2nd question, you mentioned:
If you have URL filtering and some categories are denied but the overall policy is Allow, the any traffic that goes to any of the URL's that are blocked, will be blocked and the rest will be allowed. example: xxx.com is blocked and google.com is allowed via URL filters and the policy is set to Allow.
How about if the overall policy is set to Drop? Does it just mean:
- Let's say we have URL filtering set to allow all categories but drop gambling sites.
- traffic is going to gambling site --> drop
- traffic going to other sites --> also drop
- traffic with no URL - doesn't match this rule at all, proceed to next rule
Is this the right understanding?
06-01-2023 11:24 AM
Hello,
You are correct on on both statements. Looks like you have a pretty good grasp of the fundamentals.
Cheers!
06-02-2023 02:30 AM
Thank you! So sorry to trouble you again, I really wanted to understand this in much more detail.
So you mentioned early on:
Palo Alto reads policies from top down then left to right. What this means is that all the configured options have to match before the firewall takes action. Once it takes action, it stops evaluating all other policies on that specific traffic.
So again with this set of rules:
Rule 1: src=192.168.1.0/24, Dst=192.168.2.0/24, Svc=Any, Action=Allow, Security Profile=Antivirus, URL Filter (which blocks Gambling sites)
Rule 2: src=192.168.1.100, Dst=192.168.2.100, Svc=tcp/443, Action=Allow, no security profiles associated
Rule 3: Any-Any-Any Drop
What are all the scenarios that would cause a packet to match Rule 2?
I have thought of one:
If I have traffic from 192.168.1.100 to 192.168.2.100, tcp/443 and does not have any URL info in it (because it's not website traffic), it would not match the 1st rule but would match the 2nd rule, right?
And if so, may I say that only traffic/packets that have URL information would match the 1st rule (assuming src/dst/svc matches); traffic that do NOT have URL information (assuming src/dst/svc matches too) would NOT match the 1st rule?
Thanks again!
06-02-2023 02:35 AM
To add on to my previous reply, I was also doing more research into Security Profiles in general.
Security Profiles (paloaltonetworks.com) states:
When traffic matches the allow rule defined in the security policy, the security profile(s) that are attached to the rule are applied for further content inspection rules such as antivirus checks and data filtering.
Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy.
So if my understanding of the above is correct, it would mean that Rule 2 would never get hit...? Because even if you have a packet going from 192.168.1.100 to 192.168.2.100 (tcp/443) without any URL information, it would still match the 1st rule..?
Rule 1: src=192.168.1.0/24, Dst=192.168.2.0/24, Svc=Any, Action=Allow, Security Profile=Antivirus, URL Filter (which blocks Gambling sites)
Rule 2: src=192.168.1.100, Dst=192.168.2.100, Svc=tcp/443, Action=Allow, no security profiles associated
Rule 3: Any-Any-Any Drop
06-02-2023 08:39 AM
Hello,
If the traffic matched on rule 1 then rule 2 and 3 would not get hit. However there could be scenarios where the traffic does not match rule 1 but matches rule 2.
Hope that makes sense.
06-02-2023 09:18 AM
Thank you! Could you please describe those scenarios where the traffic would not match rule 1 but would still match rule 2? In my previous message, I don't think I really fully understood this line in the Palo user guide that says:
"Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy."
06-02-2023 09:29 AM
Hello,
Since I didnt read the rules correctly (my bad) and you have Svc=Any, the second rule could be a 'shadow policy'. So it would not be hit. In the newer version of the code, there are 'hit' counters on the policies and it allows you to see ones not used. This is a useful tool to help weed out the policies that can potentially be 'disabled' and eventually deleted.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0#A7
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!