This article is to provide advanced advice on security policies with best practices for administrator level users for Palo Alto Firewalls and virtual systems.
The firewall administrators at The University of Wisconsin Madison inherited security policies from previous network security firewalls during the first initiative in 2017 to migrate to the Palo Alto firewalls. With this migration, the naming scheme was setup as:
"Vlan-####-Rule-##"
These names are adjustable by the firewall admin to reflect the use of the rule
During the firewall migration the engineers implemented a naming schema for tags to provide clarity. The naming scheme begins with the traffic direction, followed by the departmental code, then the VLAN number, then the name of the physical firewall where the rule resides. Examples are:
"IN-UNITSHORTCODE-VLAN-FIREWALLNAME"
"OUT-UNITSHORTCODE-VLAN-FIREWALLNAME"
The rule "type" can change from Universal to inter/intra-zone to limit unwanted access.
When applying Security Zones, it is best practice from Palo Alto to avoid "Any" in the source or destination zone fields. This opens the possibility for the any-any rule to unintentionally allow sessions that are not accounted for or unintended. Rather, use specific zones for the desired source or destination.
When the firewall processes a packet it takes the packet and attempts to match it to a rule to allow the packet to flow through the firewall.
The concept of the Application ID feature is the Next Generation feature which the Palo Alto firewalls provide, to verify access requests match the official use-case.
Palo Alto by default has columns hidden, these can be shown by hovering over a column header to display sub-menus.
Rule Usage
With PAN OS version 8.1 the Rule Usage hit-counters were provided for each rule. As seen in the above image the rule usage is broken down into Hit Count, Last Hit and First Hit.
This translates into: