About minamikaze

Thank you! Could you please describe those scenarios where the traffic would not match rule 1 but would still match rule 2? In my previous message, I don't think I really fully understood this line in the Palo user guide that says: "Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy." ... View more

To add on to my previous reply, I was also doing more research into Security Profiles in general.   Security Profiles (paloaltonetworks.com) states: When traffic matches the allow rule defined in the security policy, the security profile(s) that are attached to the rule are applied for further content inspection rules such as antivirus checks and data filtering. Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy.   So if my understanding of the above is correct, it would mean that Rule 2 would never get hit...? Because even if you have a packet going from 192.168.1.100 to 192.168.2.100 (tcp/443) without any URL information, it would still match the 1st rule..?   Rule 1: src=192.168.1.0/24, Dst=192.168.2.0/24, Svc=Any, Action=Allow, Security Profile=Antivirus, URL Filter (which blocks Gambling sites) Rule 2: src=192.168.1.100, Dst=192.168.2.100, Svc=tcp/443, Action=Allow, no security profiles associated Rule 3: Any-Any-Any Drop ... View more

Thank you! So sorry to trouble you again, I really wanted to understand this in much more detail. So you mentioned early on: Palo Alto reads policies from top down then left to right. What this means is that all the configured options have to match before the firewall takes action. Once it takes action, it stops evaluating all other policies on that specific traffic.   So again with this set of rules: Rule 1: src=192.168.1.0/24, Dst=192.168.2.0/24, Svc=Any, Action=Allow, Security Profile=Antivirus, URL Filter (which blocks Gambling sites) Rule 2: src=192.168.1.100, Dst=192.168.2.100, Svc=tcp/443, Action=Allow, no security profiles associated Rule 3: Any-Any-Any Drop   What are all the scenarios that would cause a packet to match Rule 2?   I have thought of one: If I have traffic from 192.168.1.100 to 192.168.2.100, tcp/443 and does not have any URL info in it (because it's not website traffic), it would not match the 1st rule but would match the 2nd rule, right?   And if so, may I say that only traffic/packets that have URL information would match the 1st rule (assuming src/dst/svc matches); traffic that do NOT have URL information (assuming src/dst/svc matches too) would NOT match the 1st rule?   Thanks again! ... View more

Thank you so much!! U have been extremely helpful. In relation to your reply to the 2nd question, you mentioned: If you have URL filtering and some categories are denied but the overall policy is Allow, the any traffic that goes to any of the URL's that are blocked, will be blocked and the rest will be allowed. example: xxx.com is blocked and google.com is allowed via URL filters and the policy is set to Allow.    How about if the overall policy is set to Drop? Does it just mean: - Let's say we have URL filtering set to allow all categories but drop gambling sites. - traffic is going to gambling site --> drop - traffic going to other sites --> also drop - traffic with no URL - doesn't match this rule at all, proceed to next rule   Is this the right understanding?   ... View more

Thank you! So just to be sure - let's say I have https traffic going from  192.168.1.100 to 192.168.2.100 (and 192.168.2.100 is NOT a gambling site), it would not hit the 1st rule, but would hit the 2nd rule. And if the 2nd rule did not exist, then this traffic would have been dropped by the last rule. Correct?   And for the 2nd part of my query, allow me to clarify: I was asking about the Action on the rule itself, not the action within the URL filtering profile. If you have a rule with Action=Allow (this is the rule action, not on the profile) and URL filtering blocking Gambling sites, and another rule with Action=Deny (this is the rule action, not on the profile), same src/dst and URL filtering also blocking Gambling sites, what is the difference between the behavior of these 2 rules? Like, how does the action on the rule itself play along with the URL filtering profile? e.g.  Rule has action=allow, URL filtering is blocking only gambling sites.  Rule has action=drop, URL filtering is blocking only gambling sites. What would be the expected behavior for the 2 scenarios above? Thanks!   (Oh and if you could point me to the reference docs that talks about these scenarios in detail, I would be most happy!)   ... View more