Order the Data Center Security Policy Rulebase
Table of Contents
10.2
Expand all | Collapse all
-
- What Is a Data Center Best Practice Security Policy?
- Why Do I Need a Data Center Best Practice Security Policy?
- Data Center Best Practice Methodology
- How Do I Deploy a Data Center Best Practice Security Policy?
- How to Assess Your Data Center
-
- Create the Data Center Best Practice Antivirus Profile
- Create the Data Center Best Practice Anti-Spyware Profile
- Create the Data Center Best Practice Vulnerability Protection Profile
- Create the Data Center Best Practice File Blocking Profile
- Create the Data Center Best Practice WildFire Analysis Profile
- Use Cortex XDR Agent to Protect Data Center Endpoints
- Create Data Center Traffic Block Rules
- Order the Data Center Security Policy Rulebase
- Maintain the Data Center Best Practice Rulebase
- Use Palo Alto Networks Assessment and Review Tools
Order the Data Center Security Policy Rulebase
When traffic matches a Security policy rule, the firewall
takes an action and the traffic hits no other rules. Incorrectly
ordering the rulebase can allow traffic you want to deny or deny
traffic you want to allow.
This topic provides a snapshot of the example Security
policy rulebase that shows the order of the rules for all four data
center traffic flows. The preceding sections discuss each Security
policy rule in detail (as well as the Decryption policy rules, and
where required, the Authentication policy and DoS Protection policy
rules).
The order of the Security policy rules is critical. No rule should
shadow another rule. For example, block rules should not block traffic
that you want to allow, so you must place allow rules before the
rule that would block the traffic goes into effect. In addition,
an allow rule should not allow traffic that you want to block. By
creating very specific allow rules, you tightly control the allowed
applications and who can and cannot use them.
Rules 1-7: The first two rules block the QUIC application
to prevent it from blocking traffic or preventing decryption. The
next five rules allow DNS access for users and allow specific application
and server access for specific user groups. These are the rules
configured in Create User-to-Data-Center Application Allow Rules.
Only the specified users can use only the specified applications
on their default ports to access only the specified data center
destination servers (addresses). Security profiles protect all of
these allow rules against threats. These rules precede block rules
that discover unknown users and applications on the network because
these rules are very specific and they prevent sanctioned users
and applications from matching more general rules lower in the rulebase.
Rules 8-9: While the preceding rules allow sanctioned
applications, the next two rules, created in Create
Data Center Traffic Block Rules, discover and block unexpected
applications from users on standard ports and block all applications
on non-standard ports. (Your deployment may have more user zones
than shown in the example.)
Traffic from non-user zones doesn’t match these rules. Place
these rules above the application blocking rules (rules 18 and 19)
or those rules will shadow these rules. (Traffic that matches these
two rules may also match the more general application blocking rules.
If the application blocking rules come first and match traffic that
also matches these rules, that traffic won’t match these rules and
won’t be logged separately, so the rules won’t do their intended
job of differentiating blocking that is the result of employee user
activity from blocking that is the result of activity from non-user zones.)
Rules 10-16: The next seven rules allow traffic between
the data center and the internet and within the data center (created
in Create Internet-to-Data-Center Application Allow Rules, Create Data-Center-to-Internet Application Allow Rules,
and Create Intra-Data-Center Application Allow Rules.)
Security profiles protect all of these allow rules against threats.
Rules 17-20: The last four rules, configured in Create
Data Center Traffic Block Rules, block applications that
you know you don’t want in your data center and unexpected applications,
and discover unknown users on your network.
Rule 17 blocks applications you never want in your data center.
This rule comes after the application allow rules to enable access
for exceptions. For example, you may sanction one or two file sharing
applications in application allow rules that precede this block
rule, and then the application filter in this rule blocks the rest
of that application type to prevent the use of unsanctioned file
sharing applications. If there are sets of applications or individual
applications that you never want on your network and for which there
are no exceptions, for example, BitTorrent, you can create a specific block
rule to block just those applications and place it at the top of
the rulebase, above the application allow rules. However, if you
do this, you must be certain that none of the blocked applications
have legitimate business uses because users will not be able to
access them.
Rules 18 and 19 are analogous to rules 8 and 9, which discover
unexpected applications from users (the traffic those rules apply
to comes only from user zones). Rules 18 and 19 discover unexpected
applications from all other zones. Having separate rules enables
you to log blocking rule matches with greater granularity.
Rule 20 discovers unknown users so that you can log those attempted
accesses separately for easier investigation.
As with all Security Policy rulebases, the final two rules will
be the Palo Alto Networks default rules for intrazone traffic (allow)
and interzone traffic (deny).