09-19-2012 08:14 AM
Hi All,
in policy tab there are a few policy like security, NAT, Qos, PBF, Decryption, Application override, captive portal and DOS protection. my question is what is policy order inspection on Palo alto.which policy palo alto will look first?
thanks
Indra
09-19-2012 08:19 AM
my guess :
1 - PBF because PBF can change destination Zone/internface
2 - NAT for same reasons
3 - App override because Security policy can rely on it
4 - CP
5 - Security (finally 
6 - Decryption
Note that some layers are so connected, I wouldn't be surprised to know that they depend on each other.
09-19-2012 09:13 AM
1 PBF
2 NAT Precheck (if we have to NAT later)
3 Decryption
4 App Override
5 CP (not 100% sure that CP is at this stage)
6 Security
7 NAT applied
Kind regards
Marco
09-19-2012 11:06 PM
So from the Packet life document we can summarize this as
1)PBF
2)Regular Routing table
3)Nat policy evaluation to determine egress zone ( not actual nat is happening in this stage)
4)Security policy (captive portal depends on the security policy)
5)Nat translation (conversion of the addresses)
6)Ssl decryption
7)App override
8)Second security policy match to block traffic beasd on applications.
9)Qos on the egress interface.
Security look up is done twice one before app identification and another app identification.
09-20-2012 05:46 AM
HI All
why app override order after security policy? if i'm not wrong, with app override will bypass app id engine. if security come first mean will check till app layer please correct me if im wrong then where is DOS proection when fw will inspect? btw for every policy available we always must to create security policy?
ex. i want to create DOS protection policy so mean need to create on DOS policy and also on security policy, etc. if got any document that can make me easily to understand it would be good, for packet flow documentation its not really clear for me.
thanks
Indra Elkim
09-20-2012 04:09 PM
Hi Indra,
As mentioned before the security policy are processed 2 times, one before the application inspection and one after the application inspection. So after we process the security rule for the first time it goes and check the application over-ride rule
Same should be the case of DOS protection policies.
For example, if you want to create an application over-ride rule from source zone :-Trust to Destination zone:-Untrust , you still have to create a security policy for the traffic and sessions from Trust to untrust zone. DOS rules also works the same way.
Just make sure, Security policy is used to govern traffic within the security zones except the fact that PBF,regular routing table takes precedence .
Let me know if that helps.
Regards
Parth
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
