Palo Alto: Security Policies

This article is to provide advanced advice on security policies with best practices for administrator level users for Palo Alto Firewalls and virtual systems.


The firewall administrators at The University of Wisconsin Madison have inherited security policies from our previous network security firewalls when the first initiative in 2017 migrated to the Palo Alto. With this migration, the naming scheme was transferred:

"Vlan-####-####-Rule-##"

During the firewall migration the implementation technicians implemented a naming schema for the zone tags to provide clarity.

"IN - UNITSHORTCODE_PHYSICALLOCATION_VLAN_FIREWALLNAME"

"OUT - UNITSHORTCODE_PHYSICALLOCATION_VLAN_FIREWALLNAME"


With Zones in mind, it is best practice from Palo Alto to avoid "Any" in the source or destination fields. This opens the possibility for the any-any rule to unintentionally allow sessions that are not accounted for or unintended. Rather, use specific zones for source/destination. 


The rule "type" can change from Universal to inter/intra-zone to limit unwanted access.

  • Intrazone rule type manages the traffic within the zone.
  • Interzone rule type manages the traffic between zones.


When the firewall processes a packet it takes the packet and attempts to match it to a rule to allow the packet to flow through the firewall.

  • The first checks in the flow are DoS (Denial of Service) and Zone protection policies, as their purpose is to protect against: network floods, Denial of Service attacks and host scanning.
    • By nature, these attacks act on networks before the delivery stage of the cyber attack lifecycle.
  • The firewall then checks any packets that passed this check against its security policies.
  • The security policies are prioritized from the top down and then read from the left to the right to find a rule match.
    • For example: matches a security zone and network address in source and destination, then checks for application and service match, moving through the rule settings.
  • Once it has reached a match it stops and acts on the packet according to the action of the rule.

Use application default under services and use applications or application filter objects rather than "any"

i.e. use ftp - application default rather than Any - TCP/21, or web-browsing - application default rather than any - TCP/80.

 

When creating an allow policy for HTTPS it has been found the applications SSL and Web-browsing are pre-requisites for this to work.


For more UW Madison Knowledge Bases, see: https://kb.wisc.edu/search.php?q=palo+alto

For assistance please contact: cybersecurity@cio.wisc.edu



Keywords:paloalto cyber cybersecurity policy firewall admin   Doc ID:90963
Owner:Vincent A.Group:Office of Cybersecurity
Created:2019-04-10 15:58 CDTUpdated:2019-05-10 10:52 CDT
Sites:Cybersecurity Operations Center, DoIT Help Desk, Office of Cybersecurity
Feedback:  0   0