Palo Alto: Security Policies

This article is to provide advanced advice on security policies with best practices for administrator level users for Palo Alto Firewalls and virtual systems.


The firewall administrators at The University of Wisconsin Madison have inherited security policies from our previous network security firewalls when the first initiative in 2017 migrated to the Palo Alto. With this migration, the naming scheme was setup as:

"Vlan-####-Rule-##"

These names are adjustable by the firewall admin to reflect the use of the rule


 Policy-Example.png


During the firewall migration the engineers implemented a naming schema for tags to provide clarity.


"IN-UNITSHORTCODE-VLAN-FIREWALLNAME"

In-Tag-Example.png


"OUT-UNITSHORTCODE-VLAN-FIREWALLNAME"

Out-tag-example.png


The rule "type" can change from Universal to inter/intra-zone to limit unwanted access.

  • Intrazone rule type manages the traffic within a zone.
  • Interzone rule type manages the traffic between zones.
  • Universal rule types include both Intra and inter-zone traffic.

When applying Security Zones, it is best practice from Palo Alto to avoid "Any" in the source or destination zone fields. This opens the possibility for the any-any rule to unintentionally allow sessions that are not accounted for or unintended. Rather, use specific zones for the desired source or destination. 



When the firewall processes a packet it takes the packet and attempts to match it to a rule to allow the packet to flow through the firewall.

  • The first check happens outside the Network security policy under the DoS (Denial of Service) and Zone protection policies, as their purpose is to protect against: network floods, Denial of Service attacks and host scanning.
    • By nature, these attacks act on networks before the delivery stage of the cyber-attack lifecycle.
  • The firewall then checks any packets that passed this check against the security policies matching the destination address.
  • The security policies are processed from the top down and then read from left to right to find a rule match.
    • Caution: This top-down logic allows for rules to be "shadowed", which occurs when a more general rule is placed above a rule with a more specific source, destination or service object.
  • Once it has reached a match for the request, the firewall stops and acts on the packet according to the action on the rule and logs the event based on the logging profile.
  • During the request the application-id, as recognized on the network, can change when more information is communicated between hosts, which can cause the connection to shift to a different rule in the security policy.

Use of Application ID is the Next Generation feature which the Palo Alto firewall provides to verify access requests match the official use-case.

  • Palo Alto has generated Applications based on network hash information, matching traffic specific to the application used for remote calls.
  • Application IDs are stored online in their website here.
  • Review this KB article on Application-ID specifics for more information.

Palo Alto by default has columns hidden, these can be shown by hovering over a column header to make the triangle display.

 Security_Policies_HiddenColumns.png


Rule Usage

With PAN OS version 8.1 the Rule Usage hit-counters were provided for each rule. As seen in the above image the rule usage is broken down into Hit Count, Last Hit and First Hit.

This translates into:

    • Hit Count: Number of times the rule has been hit since the last hit-counter reset
      Reset-Rule-HitCounter.png
    • Last Hit: The time-stamp for the latest packet to match the rule
    • First Hit: The time-stamp for the first time the rule was hit


For more UW Madison Knowledge Bases, see: https://kb.wisc.edu/search.php?q=palo+alto

For assistance please contact: cybersecurity@cio.wisc.edu