What is policy order inspection on Palo alto?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What is policy order inspection on Palo alto?

Not applicable

Hi All,

in policy tab there are a few policy like security, NAT, Qos, PBF, Decryption, Application override, captive portal and DOS protection. my question is what is policy order inspection on Palo alto.which policy palo alto will look first?

thanks

Indra

1 accepted solution

Accepted Solutions
6 REPLIES 6

L4 Transporter

my guess :

1 - PBF because PBF can change destination Zone/internface

2 - NAT for same reasons

3 - App override because Security policy can rely on it

4 - CP

5 - Security (finally Smiley Happy

6 - Decryption

Note that some layers are so connected, I wouldn't be surprised to know that they depend on each other.

1 PBF

2 NAT Precheck (if we have to NAT later)

3 Decryption

4 App Override

5 CP (not 100% sure that CP is at this stage)

6 Security

7 NAT applied

Kind regards

Marco

L6 Presenter

So from the Packet life document we can summarize this as

1)PBF

2)Regular Routing table

3)Nat policy evaluation to determine egress zone ( not actual nat is happening in this stage)

4)Security policy  (captive portal depends on the security policy)

5)Nat translation (conversion of the addresses)

6)Ssl decryption

7)App override

8)Second security policy match to block traffic beasd on applications.

9)Qos on the egress interface.

Security look up is done twice one before app identification and another app identification.

Not applicable

HI All

why app override order after security policy? if i'm not wrong, with app override will bypass app id engine. if security come first mean will check till app layer please correct me if im wrong then where is DOS proection when fw will inspect? btw for every policy available we always must to create security policy?

ex. i want to create DOS protection policy so mean need to create on DOS policy and also on security policy, etc. if got any document that can make me easily to understand it would be good, for packet flow documentation its not really clear for me.

thanks

Indra Elkim

L4 Transporter

Hi Indra,

As mentioned before the security policy are processed 2 times, one before the application inspection and one after the application inspection. So after we process the security rule for the first time it goes and check the application over-ride rule

Same should be the case of DOS protection policies.

For example, if you want to create an application over-ride rule from source zone :-Trust to Destination zone:-Untrust , you still have to create a security policy for the traffic and sessions from Trust to untrust zone. DOS rules also works the same way.

Just make sure, Security policy is used to govern traffic within the security zones except the fact that PBF,regular routing table takes precedence .

Let me know if that helps.

Regards

Parth

  • 1 accepted solution
  • 8139 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!