FUEL EDUCATION SERIES -PALO ALTO NETWORKS

101

TABLE OF CONTENTS

Fuel Education Series -Palo Alto Networks 101 ......................................................................................................................... 1

Security Policy Fundamentals ........................................................................................................................................................ 2

Types of Policies........................................................................................................................................................................... 2

Policy Development Best Practices .......................................................................................................................................... 2

Next-Generation Firewall Structure ......................................................................................................................................... 3

Port-based Policies – The End of an Era....................................................................................................................................... 3

Application-based Policies & Application-ID............................................................................................................................... 3

The Basics of App-ID.................................................................................................................................................................... 3

Defining Policies Using App-ID .................................................................................................................................................. 4

User- and Group-Based Policies & User-ID ................................................................................................................................. 4

User-ID Basics............................................................................................................................................................................... 4
In previous editions of this series, you have hopefully learned how to plan for and execute a move to Palo Alto
Networks Next-Generation Firewall. As part of this migration, you would have moved your existing policies and
hopefully converted them from IP-specific to a more zone-, application- and user-based structure. In this best
practices document, we’ll dig into the benefits of these modern policy structures, and share resources to help you
take advantage of the built-in tools in your Next-Generation Firewall: Application-ID and User-ID.

SECURITY POL ICY FUN DAMEN TAL S

TYPES OF POL ICIES

Next-Generation Firewalls have two kinds of security policies you need to consider for planning and reporting
purposes:

1. Implicit security policies are rules that are not visible to the administrator; these are innate rules built into
the Next-Generation Firewall; this includes intra-zone traffic management. For more information on how
to monitor this traffic, take a look at this Palo Alto Networks Live document on monitoring traffic for
default security policies.
2. Explicit security policies - created by the administrator and visible in reports and the monitoring
1
interface . These policies will be the focus of this document.
a. Explicit policies impact the client-to-server flow of traffic from inter-zone traffic.
b. There ordering of these policies is a critical component of their effectiveness; policy evaluation is
top-down, so traffic stopped by an early rule cannot be validated by a later rule.
c. All traffic that is not addressed by a policy is denied, but is also not logged. If you need to review
denied traffic, you will need a specific rule designed to deny all otherwise undefined traffic .

POL ICY DEVEL OPMEN T BEST PRACTICES

The excerpt below is taken from the Palo Alto Networks PAN-OS documentation. Click here to review the full policy
development best practices.

The key principle when defining policy on the Palo Alto Networks firewall is to use a positive en forcement
approach. Positive enforcement implies that you selectively allow what is required for day -to-day business
operations as opposed to a negative enforcement approach where you would selectively block everything that
is not allowed. Consider the fol lowing suggestions when creating policy:

 If you have two or more zones with identical security requirements, combine them into one security
rule.
 The ordering of rules is crucial to ensure the best match criteria. Because policy is evaluated top
down, the more specific policy must precede the ones that are more general, so that the more
specific rule is not shadowed. The term shadow refers to a rule that is not evaluated or is skipped
because it is placed lower in the policy list. When the rule is placed lower, it is not evaluated because
the match criteria was met by another rule that preceded it, thereby shadowing the rule from policy
evaluation.
 To restrict and control access to inbound applications, in the security policy, explicitly define the port
that the service/application will be listening on.
 Logging for broad allow rules—for example access to well -known servers like DNS—can generate a lot
of traffic. Hence it is not recommended unless absolutely necessary.
 By default, the firewall creates a log entry at the end of a session. However, you can modify this
default behavior and configure the firewall to log at the start of the session. Because this significantly
increases the log volume, logging at session start is recommended only when you are troubleshooting

1
https://live.paloaltonetworks.com/t5/Learning-Articles/Security-policy-fundamentals/ta-p/53016
 an issue. Another alternative for troubleshooting without enabling logging at session start is to use
the session browser (Monitor > Session Browser) to view the sessions in real time.

Additional Resources:

 Components of a Security Policy

 About Policy Objects
 About Security Profiles
 Example of how to build a basic security policy

N EXT-GEN ERATION FIREWAL L STRUCTURE

The following criteria list is checked by the firewall in the same order to match the traffic against a security policy.
Remember these steps when you’re building your policies to avoid any rule shadowing concerns.

1. Source and destination address

2. Source ports and destination ports
3. Applications
4. User-ID
5. URL category
6. Source and destination zones

PORT-BASED POL ICIES – THE (OVERDUE) EN D OF AN ERA

On traditional firewalls, policies were based on specific IP addresses. This is an unrealistic strategy today, since the
amount of traffic that would be denied could negatively impact business. Additionally, malicious traffic coming
from a trusted IP will not encounter resistance.

Next-Generation Firewalls allow for IP-specific policies, but this should be used sparingly, for very specific needs.

Defining Policies for a Specific Range of Ports

APPL ICATION -BASED POL ICIES & APPL ICATION -ID

Next-Generation Firewalls default to an appl ication-based approach to policies. This can be for specific
applications, or allows applications to be identified by characteristics and traffic. The flexibility in this system
allows for granular control of known threats without having to block all unkno wn applications.

THE BASICS OF APP -ID

App-ID technology utilizes the following analysis areas to determine if an application’s activity should be
i
permitted.

1. Applications Signatures – signatures help to identify if an application is already known, and if its behavior
maps to previous usage.
2. TLS/SSL and SSH Decryption – Checks for encryption and tunneling help to determine if decryption is
needed, and to apply specific policies based on the encryption or tunnel being used.
3. Application and Protocol Decoding – decoders help to identify the traffic taking place within an
application, and can help to prevent malicious traffic from moving through a trusted application (like file
sharing in an online meeting application.)
 4. Heuristics – The behavioral analysis of an unknown application is the final step in monitoring and
managing traffic.
DEFIN IN G POL ICIES USIN G APP -ID

Once an application has been identified (or placed into a criteria -based grouping), a specific response can be
enacted. Options include:

 Allow – permit full application activity

 Deny – all services and activity are prevented
 Scan for threats – application activity is permitted, but must be scanned
 Limited functionality – certain features of an application, such as administration features or file sharing,
may be disabled

It is possible for an application to have more than one status based on which ports traffic is received through,
activity characteristics, filters, or s pecific users or groups.

Dynamic Filters - A dynamic filter is a set of applications that is created based on any combination of the filter
criteria: category, subcategory, behavioral characteristic, underlying technology or risk factor. Security policies can
be applied to dynamic filters. The security policy is then enforced for application traffic that matches the filter
criteria. New applications identified by Palo Alto Networks are updated weekly to update these filters.

Application Groups – Known applications can be added to custom groups to manage traffic, or to assign access
rights to groups of users. These groups only change based on administrator edits.

USER- AN D GROUP -BASED POL ICIES & USER-ID

Once application-based policy management is in place, you can add an additional layer of control and visibility
through user- or group-defined policies.

USER-ID BASICS

To enable security policy based on users and user groups, you must enable User -ID for each zone that contains
users you want to identify. You can then define policy rules that allow or deny traffic based on username or group
membership. Additionally, you can create Captive Portal rules to enable identification for IP addresses that don’t
ii
yet have any user data associated with them.

To be able to enforce the user- and group-based policies, the firewall must be able to map the IP addresses in the
packets it receives to usernames. User-ID provides many mechanisms to get these IP address to username
mappings. For example, it uses agents to monitor server logs for login events and/or probe clients, and/or listen
for syslog messages from authenticating services. To identify mappings for IP addresses were not mapped using
one of the agent mechanisms, you can configure the firewall to redirect HTTP requests to a captive portal login.
GETTIN G STARTED WITH USER-ID

You’ll want to start by defining Groups for your users, to streamline and simplify ongoing management. Controls
based at the user-specific level should be used sparingly, as they take more ti me to manage and leave open more
possibility to incorrectly allow or deny activity.

Some options include:

 By region
 By domain
 By job role/unit
 Specific project groups

These rules can be universal, application-specific, or tied to other criteria.

Learn more about the steps for creating a Group using an LDAP server profile here.

ADDITION AL USER-ID RESOURCES

Here’s some information on how to enable User and Group-based Policy

Don’t forget to verify your User-ID configuration once it’s set up!

MORE DATA, L ESS PROBL EMS

Now that you’ve enabled application- and user-based policy management on your Next-Generation Firewall, you
have not only enhanced your organization’s security and protected your users – you’ve also started generating
valuable data on usage trends and threats that can help you adapt and improve yo ur policies!

In the next release of our Palo Alto Networks 101 Best Practices Series, we’ll review how to take advantage of
monitoring and reporting features.
i
https://www.paloaltonetworks.com/resources/datasheets/application-based-policies.html
ii
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id/enable-user-and-group-based-
policy