Palo Alto: Security Zones, Profiles and Policies (Rules)

Security policies (rules) on the palo Alto firewalls are intended to narrow our threat surface. As a firewall administrator or technician, please keep in mind that:

  1. Palo Alto Networks works in what they call security zones for where our user and system traffic is coming from and going to
  2. Traffic is processed by the security policy in a top-down, left to right flow.

You must have security admin permissions and access to your firewall virtual system (vsys) in order to adjust security policies and profiles. Speak to your local firewall admin, or contact, if you would like access.

This document is meant as a high-level intro to security profiles and policies. You can find KB articles with more technical specifics at security profiles and security policies.


  • Security Policies:

    • Avoid "rule shadowing" by placing more specific rules above the larger scope rules.

    • Example, host rule above network rule:
      Top-Down Rules

    • Intrazone "traffic within your zone" traffic, default security policy; if you don't make a rule to block the traffic, the firewall by default will allow it.

    • "Catchall allow" rule is the intrazone default.

    • Interzone "traffic between zones", default security policy; if you don't make a rule to allow the traffic, the firewall by default will not allow it.

    • "Catchall deny" rule is the interzone default

    • You can add the profiles (and profile groups) to your policy rule under the rule settings > "Action" tab:


    • Security Policies can call a single security profile group:


    • or a choice of security profiles:

    For more UW Madison Knowledge Bases, see:

    For assistance please contact: