Palo Alto: Security Zones, Profiles and Policies (Rules)

Summary:
Security policies (rules) on the palo Alto firewalls are intended to narrow our threat surface. As a firewall administrator or technician, please keep in mind that:
  1. Palo Alto Networks works in what they call security zones for where user and system traffic is coming and going to
  2. Traffic is processed by the security policy in a top-down, left to right fashion.

Note:
You must have security admin permissions and access to your firewall virtual system (vsys) in order to adjust security policies and profiles. Speak to your local firewall admin, or contact cybersecurity@cio.wisc.edu, if you require access.

This document is meant as a high-level intro to security profiles and policies. You can find KB articles with more technical specifics at security profiles and security policies.

Security Zones:

Suggestion: Create a tag to assign for each zone for easy management (Navigate to Objects > Tags)

Narrow our threat surface through the use of network segmentation into security zones

Understand what data access is needed and what is not needed

Use the principle of least privilege

Consider compliance and institutional policy requirements

Internal traffic traverses zones (one zone can cover multiple network interfaces and VLANs)

Security Profiles:

Palo Alto Networks provides eight security profile features with four profiles categorized as advanced protections: Antivirus, Anti-Spyware, Vulnerability Protection and URL Filtering.

Advanced Protections Menu

The Office of Cybersecurity has created a "Security-Baseline" security profile for each of these advanced protections for use on each VSYS. When a unit chooses the "Collaborative model" for firewall administration, these security profiles are assigned.

Security Profile Groups:

Simplified use of security profiles within our security policies by placing our security profiles into groups.

Navigate to Objects > Security Profile Groups, click Add at bottom of window.

Add button

Security Policies:

Avoid "rule shadowing" by placing more specific rules above the more general rules.

Intrazone "traffic within your zone", initial default security policy; if you don't make a rule to block the traffic, the firewall by default will allow it. intrazone default action is allow.

Interzone "traffic between zones", initial default security policy; if you don't make a rule to allow the traffic, the firewall by default will block it. interzone default action is block.

Universal "both traffic within and between security zones", newly created security policies default to Universal. Applies both Inter and intrazone characteristics to the applied security policy.

You can add the profiles (and profile groups) to your policy rule under the rule settings > "Action" tab:

Security Policies can call a single security profile group:

Profile Group in Policy Properties

or a choice of individual security profiles:
  Individual Profile in Policy Settings Window

 

For more UW Madison Knowledge Bases, see: https://kb.wisc.edu/search.php?q=palo+alto

For assistance please contact: cybersecurity@cio.wisc.edu

 



Keywords:
Palo Alto paloalto cybersecurity cyber policy zone firewall fw-admin delegated collaborative network 
Doc ID:
90956
Owned by:
Vincent A. in Cybersecurity
Created:
2019-04-10
Updated:
2024-03-19
Sites:
Cybersecurity Operations Center, DoIT Help Desk, Office of Cybersecurity