Palo Alto: Security Zones, Profiles and Policies (Rules)
Security policies (rules) on the palo Alto firewalls are intended to narrow our threat surface. As a firewall administrator or technician, please keep in mind that:
You must have security admin permissions and access to your firewall virtual system (vsys) in order to adjust security policies and profiles. Speak to your local firewall admin, or contact firstname.lastname@example.org, if you would like access.
This document is meant as a high-level intro to security profiles and policies. You can find KB articles with more technical specifics at security profiles and security policies. (As of 5/10/19 these are still under review)
*Suggestion: Create a tag to assign for each zone for easy management* (Navigate to Objects > Tags)
Narrow our threat surface through the use of network segmentation into security zones.
Understand what data access is needed and what is not needed
Use the principle of least privilege
Consider compliance and institutional policy requirements
Internal traffic traverses zones (one zone can cover multiple network interfaces)
Palo Alto Networks provide eight security profile features with four profiles categorized as advanced protections: Antivirus, Anti-Spyware, Vulnerability Protection and URL Filtering.
The Office of Cybersecurity has created a "Security-Baseline" security profile for each of these advanced protections for use on each vsys. When a unit chooses the Collaborative model for firewall administration, these security profiles are assigned. Below is an image for the antivirus profile for reference.
Security Profile Groups:
Simplified use of security profiles within our security policies by placing our security profiles into groups.
Navigate to Objects > Security Profile Groups, click Add at bottom of window.
The security baseline security profiles have been put together into a Security-baseline Security group for ease of use.
Avoid "rule shadowing" by placing more specific rules above the larger scope rules.
Example, host rule above network rule:
Intrazone "traffic within your zone" traffic, default security policy; if you don't make a rule to block the traffic, the firewall by default will allow it.
"Catchall allow" rule is the intrazone default.
Interzone "traffic between zones", default security policy; if you don't make a rule to allow the traffic, the firewall by default will not allow it.
"Catchall deny" rule is the interzone default
You can add the profiles (and profile groups) to your policy rule under the rule settings > "Action" tab:
Security Policies can call a single security profile group:
or a choice of security profiles:
For more UW Madison Knowledge Bases, see: https://kb.wisc.edu/search.php?q=palo+alto
For assistance please contact: email@example.com