Академический Документы
Профессиональный Документы
Культура Документы
101
TABLE OF CONTENTS
Types of Policies........................................................................................................................................................................... 2
User-ID Basics............................................................................................................................................................................... 4
In previous editions of this series, you have hopefully learned how to plan for and execute a move to Palo Alto
Networks Next-Generation Firewall. As part of this migration, you would have moved your existing policies and
hopefully converted them from IP-specific to a more zone-, application- and user-based structure. In this best
practices document, we’ll dig into the benefits of these modern policy structures, and share resources to help you
take advantage of the built-in tools in your Next-Generation Firewall: Application-ID and User-ID.
Next-Generation Firewalls have two kinds of security policies you need to consider for planning and reporting
purposes:
1. Implicit security policies are rules that are not visible to the administrator; these are innate rules built into
the Next-Generation Firewall; this includes intra-zone traffic management. For more information on how
to monitor this traffic, take a look at this Palo Alto Networks Live document on monitoring traffic for
default security policies.
2. Explicit security policies - created by the administrator and visible in reports and the monitoring
1
interface . These policies will be the focus of this document.
a. Explicit policies impact the client-to-server flow of traffic from inter-zone traffic.
b. There ordering of these policies is a critical component of their effectiveness; policy evaluation is
top-down, so traffic stopped by an early rule cannot be validated by a later rule.
c. All traffic that is not addressed by a policy is denied, but is also not logged. If you need to review
denied traffic, you will need a specific rule designed to deny all otherwise undefined traffic .
The excerpt below is taken from the Palo Alto Networks PAN-OS documentation. Click here to review the full policy
development best practices.
The key principle when defining policy on the Palo Alto Networks firewall is to use a positive en forcement
approach. Positive enforcement implies that you selectively allow what is required for day -to-day business
operations as opposed to a negative enforcement approach where you would selectively block everything that
is not allowed. Consider the fol lowing suggestions when creating policy:
If you have two or more zones with identical security requirements, combine them into one security
rule.
The ordering of rules is crucial to ensure the best match criteria. Because policy is evaluated top
down, the more specific policy must precede the ones that are more general, so that the more
specific rule is not shadowed. The term shadow refers to a rule that is not evaluated or is skipped
because it is placed lower in the policy list. When the rule is placed lower, it is not evaluated because
the match criteria was met by another rule that preceded it, thereby shadowing the rule from policy
evaluation.
To restrict and control access to inbound applications, in the security policy, explicitly define the port
that the service/application will be listening on.
Logging for broad allow rules—for example access to well -known servers like DNS—can generate a lot
of traffic. Hence it is not recommended unless absolutely necessary.
By default, the firewall creates a log entry at the end of a session. However, you can modify this
default behavior and configure the firewall to log at the start of the session. Because this significantly
increases the log volume, logging at session start is recommended only when you are troubleshooting
1
https://live.paloaltonetworks.com/t5/Learning-Articles/Security-policy-fundamentals/ta-p/53016
an issue. Another alternative for troubleshooting without enabling logging at session start is to use
the session browser (Monitor > Session Browser) to view the sessions in real time.
Additional Resources:
The following criteria list is checked by the firewall in the same order to match the traffic against a security policy.
Remember these steps when you’re building your policies to avoid any rule shadowing concerns.
On traditional firewalls, policies were based on specific IP addresses. This is an unrealistic strategy today, since the
amount of traffic that would be denied could negatively impact business. Additionally, malicious traffic coming
from a trusted IP will not encounter resistance.
Next-Generation Firewalls allow for IP-specific policies, but this should be used sparingly, for very specific needs.
Next-Generation Firewalls default to an appl ication-based approach to policies. This can be for specific
applications, or allows applications to be identified by characteristics and traffic. The flexibility in this system
allows for granular control of known threats without having to block all unkno wn applications.
App-ID technology utilizes the following analysis areas to determine if an application’s activity should be
i
permitted.
1. Applications Signatures – signatures help to identify if an application is already known, and if its behavior
maps to previous usage.
2. TLS/SSL and SSH Decryption – Checks for encryption and tunneling help to determine if decryption is
needed, and to apply specific policies based on the encryption or tunnel being used.
3. Application and Protocol Decoding – decoders help to identify the traffic taking place within an
application, and can help to prevent malicious traffic from moving through a trusted application (like file
sharing in an online meeting application.)
4. Heuristics – The behavioral analysis of an unknown application is the final step in monitoring and
managing traffic.
DEFIN IN G POL ICIES USIN G APP -ID
Once an application has been identified (or placed into a criteria -based grouping), a specific response can be
enacted. Options include:
It is possible for an application to have more than one status based on which ports traffic is received through,
activity characteristics, filters, or s pecific users or groups.
Dynamic Filters - A dynamic filter is a set of applications that is created based on any combination of the filter
criteria: category, subcategory, behavioral characteristic, underlying technology or risk factor. Security policies can
be applied to dynamic filters. The security policy is then enforced for application traffic that matches the filter
criteria. New applications identified by Palo Alto Networks are updated weekly to update these filters.
Application Groups – Known applications can be added to custom groups to manage traffic, or to assign access
rights to groups of users. These groups only change based on administrator edits.
Once application-based policy management is in place, you can add an additional layer of control and visibility
through user- or group-defined policies.
USER-ID BASICS
To enable security policy based on users and user groups, you must enable User -ID for each zone that contains
users you want to identify. You can then define policy rules that allow or deny traffic based on username or group
membership. Additionally, you can create Captive Portal rules to enable identification for IP addresses that don’t
ii
yet have any user data associated with them.
To be able to enforce the user- and group-based policies, the firewall must be able to map the IP addresses in the
packets it receives to usernames. User-ID provides many mechanisms to get these IP address to username
mappings. For example, it uses agents to monitor server logs for login events and/or probe clients, and/or listen
for syslog messages from authenticating services. To identify mappings for IP addresses were not mapped using
one of the agent mechanisms, you can configure the firewall to redirect HTTP requests to a captive portal login.
GETTIN G STARTED WITH USER-ID
You’ll want to start by defining Groups for your users, to streamline and simplify ongoing management. Controls
based at the user-specific level should be used sparingly, as they take more ti me to manage and leave open more
possibility to incorrectly allow or deny activity.
By region
By domain
By job role/unit
Specific project groups
Learn more about the steps for creating a Group using an LDAP server profile here.
Don’t forget to verify your User-ID configuration once it’s set up!
Now that you’ve enabled application- and user-based policy management on your Next-Generation Firewall, you
have not only enhanced your organization’s security and protected your users – you’ve also started generating
valuable data on usage trends and threats that can help you adapt and improve yo ur policies!
In the next release of our Palo Alto Networks 101 Best Practices Series, we’ll review how to take advantage of
monitoring and reporting features.
i
https://www.paloaltonetworks.com/resources/datasheets/application-based-policies.html
ii
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id/enable-user-and-group-based-
policy