Prisma SD-WAN Administrator’s Guide
    : Add a Stacked Security Policy Rule
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. Prisma SD-WAN Administrator’s Guide
    5. Prisma SD-WAN Stacked Security Policies
    6. Add a Stacked Security Policy Rule
    Download PDF

    Prisma SD-WAN Administrator’s Guide

    Add a Stacked Security Policy Rule

    Table of Contents

    Add a Stacked Security Policy Rule

    Learn how to add security policy rules for stacked security policies.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Active Prisma SD-WAN license
    Each security policy set is a collection of security policy rules. A security policy set has default security policy rules which cannot be changed, removed, or deleted. You can create custom security policy rules to take precedence over the default security policy rules. You can directly add policy rules to a simple path stack by clicking a simple path stack and then clicking Add Rule. For advanced stacks, select a stack, then a policy set within the stack, and then add policy rules to the policy set.
    • Add a security policy rule to a simple security stack.
      1. Select ManagePoliciesSecuritySecurity StacksSimpleSelect a StackAdd Rule.
      2. Select an action for the rule.
        Configure general allow or deny rules first, then add more specific access and deny rules and have them listed in higher priority order so that they are evaluated before the broader rules.
        On the Info tab:
        • Enter a Name for the policy rule, and optionally enter description and tags.
        • Enter an order between 1-65535 for the policy rule.
          An order of 1 indicates the highest priority for the policy rule. If you leave this field blank, the rule is given the least priority.
        • (Optional) Select Disable Rule if you do not want the ION device to consider this rule.
        • Select the action to take for traffic matching this rule as either Allow, Deny, or Reject. The default action is Allow.
          • Allow—Indicates that the ION device allows traffic that matches the parameters specified in the rule.
          • Deny—Indicates that the ION device drops traffic without sending a RESET or ICMP HOST UNREACHABLE message to the client or server.
          • Reject—Indicates that the ION device rejects traffic that matches the parameters specified in the rule and sends a RESET message to both the client and the server.
      3. (Optional) Configure services for the rule.
        Add protocols, source ports, and destination ports to make the policy rule more specific.
        On the Services tab:
        • (Optional) Click Add Service to add protocols, source ports, and/or destination ports.
          • (Optional) Select a protocol from the Protocol drop-down.
          • (Optional) Select Source Port Ranges between 1 and 65535. Click Add Port Range for additional port ranges. You can add a maximum of 16 source port ranges.
          • (Optional) Select Destination Port Ranges between 1 and 65535. Click Add Port Range for additional port ranges. You can add a maximum of 16 destination port ranges.
      4. (Optional) Add zones and prefixes.
        While creating security policy rules, specify the source and destination zones to which the rule applies and establish one or more source and destination zones for each security rule. The source zone identifies the LAN network from where traffic originates, and the destination zone identifies traffic from the LAN network.
        Prefixes restrict access within a branch and filter out traffic to specific IP addresses within the particular source and destination zones.
        Configure security zones and security prefixes before using them in security policy rules.
        On the Zones & Prefixes tab:
        • (Optional) Select a source Zone and Prefix.
        • (Optional) Select a destination Zone and Prefix.
      5. (Optional) Add applications.
        Applications are the core element of the security solution for controlling network traffic and implementing security policies. You can use the same application definitions and fingerprinting technologies for security policies, path selection for network policies, and for Quality of Service (QoS) implementation in QoS policies.
        On the Applications tab:
        • Select the applications to apply the policy rule.
        You can select 16 applications for one policy rule.
        You can filter applications based on:
        • For sites 6.0.1 or above—Select this option to view system applications from PANW, applications common to PANW and Prisma SD-WAN, and custom applications defined in Prisma SD-WAN.
        • For sites below 6.0.1—Select this option to view legacy system applications in Prisma SD-WAN, applications common to PANW and Prisma SD-WAN, and custom applications defined in Prisma SD-WAN.
        • For any site—Use this option to view applications common to PANW and Prisma SD-WAN along with custom applications defined in Prisma SD-WAN.
        (Optional) You can check the type of application - System (PANW, CGX), System (CGX), or Custom by selecting the application first and then using the filters to view the type of application.
    • Add a security policy rule to an advanced security stack.
      1. Select ManagePoliciesSecuritySecurity StacksAdvancedSecurity SetsSelect a Security SetAdd Rule.
      2. Follow the steps above for adding a security policy rule to an advanced security stack.

    © 2024 Palo Alto Networks, Inc. All rights reserved.