Intra-Data-Center Traffic Policies
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- What Is a Data Center Best Practice Security Policy?
- Why Do I Need a Data Center Best Practice Security Policy?
- Data Center Best Practice Methodology
- How Do I Deploy a Data Center Best Practice Security Policy?
- How to Assess Your Data Center
-
- Create the Data Center Best Practice Antivirus Profile
- Create the Data Center Best Practice Anti-Spyware Profile
- Create the Data Center Best Practice Vulnerability Protection Profile
- Create the Data Center Best Practice File Blocking Profile
- Create the Data Center Best Practice WildFire Analysis Profile
- Use Cortex XDR Agent to Protect Data Center Endpoints
- Create Data Center Traffic Block Rules
- Order the Data Center Security Policy Rulebase
- Maintain the Data Center Best Practice Rulebase
- Use Palo Alto Networks Assessment and Review Tools
End-of-Life (EoL)
Intra-Data-Center Traffic Policies
Configure Security policy and Decryption policy
for traffic between data center servers and application tiers.
- Create intra-data-center application allow rules
to protect data center servers from other data center servers that
may be compromised. A common application architecture consists of three server tiers: web servers, application servers, and database servers. Apply best practice Security profiles to most traffic between server tiers to prevent threats. Don’t apply Security profiles to low-value, high-volume traffic such as mailbox replication and backup flows—the firewall already inspected the original flows, so spending CPU cycles on them provides no extra value. Do create allow rules for these applications to prevent misuse. For each rule, configure Log at Session End on the Actions tab and set up Log Forwarding to track and analyze rule violations.This example configures rules that allow traffic between application server tiers for two proprietary internal finance applications for which we created custom applications: Billing-App and Payment-App.
- Allow finance application traffic between the web server tier and the application server tier.
- Allow finance application traffic between the application server tier and the database server tier.
- Create intra-data-center Decryption
policy rules to decrypt the traffic allowed in the preceding Security
policy rules. The data center is a perfect place for attackers to hide because many people think the data center is safe and don’t look for intruders. But the same basic tenet that’s true in the rest of the network holds true in the data center: you can’t protect yourself against what you can’t see. Decrypt encrypted data center traffic so that the firewall can inspect traffic, control access, make threats visible, and protect your valuable assets.Not all data center traffic is encrypted. Don’t spend resources to decrypt unencrypted (cleartext) traffic.
- This rule decrypts traffic flowing between the web server tier and the application server tier for the Finance department’s billing servers.
- This rule decrypts the traffic flowing between the application server tier and the database server tier for the Finance department’s billing servers.