administrators at The University of Wisconsin Madison inherited security
policies from previous network security firewalls during the first initiative
in 2017 to migrate to the Palo Alto firewalls. With this migration, the naming scheme was setup as:
These names are adjustable by the firewall admin to reflect the use of the rule
During the firewall
migration the engineers implemented a naming schema for tags to provide clarity. The naming scheme begins with the traffic direction, followed by the departmental code, then the VLAN number, then the name of the physical firewall where the rule resides. Examples are:
The rule "type" can change from Universal to inter/intra-zone to limit unwanted access.
- Intrazone rule type manages the traffic within a zone.
- Interzone rule type manages the traffic between zones.
- Universal rule type includes both Intra and inter-zone traffic.
When applying Security Zones, it is best practice from Palo Alto to avoid "Any" in the source or destination zone fields. This opens the possibility for the any-any rule to unintentionally allow sessions that are not accounted for or unintended. Rather, use specific zones for the desired source or destination.
When the firewall
processes a packet it takes the packet and attempts to match it to a rule to allow the packet to flow through the firewall.
first check happens outside the Network security policies, under the DoS (Denial of Service) and Zone protection policies, to protect against: network floods, Denial of Service attacks and host
- By nature, these attacks act on networks before the delivery stage of the cyber-attack lifecycle.
firewall then checks any packets that passes these checks against the security
policies first matching the destination address.
security policies are processed from the top down and then read from left to right to find a rule match.
- Caution: This top-down logic allows for rules to be "shadowed", which occurs when a more general rule is placed above a rule with a more specific source, destination or service object.
it has reached a match for the request, the firewall stops and acts on the packet according to the
action specified by the rule and logs the event based on the logging profile setting.
- During the request the application-id, as recognized on the network, can change when more information is communicated between hosts during TCP life cycle; which can cause the connection to shift to a different rule in the security policy.
The concept of the Application ID feature is the Next Generation feature which the Palo Alto firewalls provide, to verify access requests match the official use-case.
- Palo Alto has generated Application Identifications based on network hash information, matching traffic specific to the application used.
- Application IDs are stored online in their website here.
- Review this KB article on Application-ID specifics for more information.