Web Security Management

• Consolidated Security policy management - Define URL and application access Security policies for users and security protections, all from a single location. Your threat protection settings are applied globally to all web traffic, which eliminates the need to configure them on a per-Security policy basis. You can also turn on SSL Decryption easily from a central location.
• Built-in best practices - Secure web traffic in just a couple of clicks. The ready-to-use default Security policy configurations adhere to Palo Alto Networks’ best practice recommendations. Simply Enable Web Security and Push Config to secure web traffic right away. You can use the default security rules as-is or customize your own.
• Separation of roles and responsibilities - As a Web Security Admin, you can manage web-bound traffic from Web Security, while other traffic is enforced according to the Security policies set in Configuration. All Prisma Access configurations can be handled on a single console with clear separation.
  • Web Security Admins - Can manage settings relevant to their role, but other settings are hidden from view.
  • Account Admin, App Admin, or Instance Admin - Can also view Web Security settings.

Web Security policy Migration

If you had Web Security policies prior to upgrading your environment, you'll find them in a new editable Snippet called “web-sec-migration”. If you had targeted rules specific for GlobalProtect, Explicit Proxy, or Remote Networks, your find them in a separate snippet that's attached to the relevant scope.

So you don't encounter any functional changes to your configuration, snippets have already associated with their correct level, but you'll need to perform a full ("All Admin" scope) before your commits can function.

Rule Order for Web Security and Security Policy

Web Access security rules your create in folder are inherited by child folders, as are any other rules in your configuration. When GlobalProtect, Explicit Proxy, or Remote Networks are heirs of Web Security policy, Web Security rules go to the top of the rulebase. Security policies from higher-level parent folders get priority over Web Access Security policies in lower-level child folders. Default security policies are always placed at the bottom and below any Web Security rules in a child folder.

Newly created Global Web Access policy rules are positioned between Web Security rules and the regular security rules, with Global Catch All policies placed on top of the intrazone default rules in post-rules.

Web Security policies offer a framework for abstracting policies, enabling translation of user intent into the language understood by the enforcement node. This ensures continuity for current rules without altering user experience through default rule ordering.

Here's the order of rule enforcement:

Global - Web Access Security policies Global - Security policies

Prisma Access - Web Access Security policies Prisma Access - Security policies (pre-rules)

Remote Networks - Web Access Security policies Remote Networks - Security policies

Prisma Access - Security policies (post-rules)

Global - Security policies (post-rules)

Get a Behind-the-Scenes Look at your Custom Security policies

Your custom security rules go through a transformation after your build them so that Prisma Access can enforce them properly. The Detail Usage tab gives you an advanced view of your custom security rules, so you can pinpoint in your logs the work your Web Security rules are doing.

To see the details for any of your rules, select ManageConfigurationNGFW and Prisma AccessSecurity ServicesWeb SecurityWeb Access Security policy, select a rule you want to see details for from the Security policies tab, and then select the Detail Usage tab.

You may notice that a single security rule is separated into multiple rules in this view. This is because the rule's intent may require more than one rule to accomplish.