administrators at The University of Wisconsin Madison have inherited security
policies from our previous network security firewalls when the first initiative
in 2017 migrated to the Palo Alto. With this migration, the naming scheme was
During the firewall
migration the implementation technicians implemented a naming schema for the
zone tags to provide clarity.
"IN - UNITSHORTCODE_PHYSICALLOCATION_VLAN_FIREWALLNAME"
"OUT - UNITSHORTCODE_PHYSICALLOCATION_VLAN_FIREWALLNAME"
With Zones in mind, it is best practice from Palo Alto to avoid "Any" in the source or destination fields. This opens the
possibility for the any-any rule to unintentionally allow sessions that are not
accounted for or unintended. Rather, use specific zones for source/destination.
The rule "type" can change from Universal to inter/intra-zone to limit unwanted access.
- Intrazone rule type manages the traffic within the zone.
- Interzone rule type manages the traffic between zones.
When the firewall
processes a packet it takes the packet and attempts to match it to a rule to allow the packet to flow through the firewall.
first checks in the flow are DoS (Denial of Service) and Zone protection policies, as
their purpose is to protect against: network floods, Denial of Service attacks and host
- By nature, these attacks act on networks before the delivery stage of the cyber attack lifecycle.
firewall then checks any packets that passed this check against its security
security policies are prioritized from the top down and then read from the left to the right to find a rule match.
- For example: matches a security zone and network address in source and destination, then checks for application and service match, moving through the rule settings.
it has reached a match it stops and acts on the packet according to the
action of the rule.
Use application default under services and use
applications or application filter objects rather than "any"
use ftp - application default rather than Any - TCP/21, or web-browsing -
application default rather than any - TCP/80.
When creating an
allow policy for HTTPS it has been found the applications SSL and Web-browsing
are pre-requisites for this to work.