Security Policy Fundamental Concepts
Lesson 1: Security Policy Fundamental Concepts - Security NAT Policies
Multiple Match Criteria starts with Security policy rules criteria are zones, applications, IP addresses, ports, users, and host information profile (HIP) Profiles. the basic criteria are to allow or deny traffic starting with the source and destination zones, then granular options such as source and destination IP addresses, ports, applications, URL categories, source users, and HIP Profiles.
Sessions and Flows
All traffic passing through the firewall is matched against a session and each session is then matched against a Security policy rule
session is identified by:
- 1. Source and 2. destination IP address
- 3. Source and 4. destination port number: For non-UDP/TCP traffic, different protocol fields are used.
- 5. Protocol
- 6. Source security zone
Each session is assigned a unique session ID number.
Security policy rules, consider only the c2s flow
Security Policy Rule Types
3 types of zones, within a zones, between zones, or both
Within a ZONE rule would apply to all traffic within Zone IntraZone
Interzone rule applies to all matching traffic between the specified source and destination zones
Universal rule applies to all matching interzone and intrazone traffic in the specified source and destination zones
Implicit and Explicit Rules
By default the firewall implicitly allows intrazone traffic and implicitly denies interzone traffic.
See intrazone-default and interzone-default at policies>security>Default Rules
Security Policy Match
Rules are evaluated for a match from top to bottom. After a rule match is found, no other rules are evaluated.
Policy rules are unidirectional...allow only traffic that is initiated in the direction that the policy rule specifies.. replies to the client always are allowed
Policy Rule Usage
policy rule usage feature enables you to identify rules that are used frequently and to determine which rules are unused and should be removed
..reset the rule hit count data to validate an existing rule, or to gauge rule use within a given period of time
Rule Shadowing
...Rule A casts a shadow over, or hides, rules Rule B and Rule C say IP address 192.168.1.3 belongs to the Inside zone and the subnet 192.168.1.0/24. remove shadowing by reordering..
Policy Rule Auditing
Use comments t0 explain policy rules changes... Audit Comment
Audit Comment Archive
Each Audit Comment that is captured during a commit of policy rules is added to an Audit Comment Archive
Config Logs (between commits) tab shows a detailed change history of the rule and which administrator made the comments
Rules Changes tab can be used to compare any 2 versions of the rule to identify the differences between them
-------------------------------------------------
>Security policy fundamental concepts
Like Access Control Lists, Session setup session ID App- ID, content-ID
Basic criteria or Granular criteria
Flow Logic of the Next Generation Firewall
Inspect and Control Network Traffic
Sessions and Flows
Display Security Policy Rules
Manage the Policy Ruleset
Security Policy Rule Types
Custom and Predefined Rules
Security Policy Rule Match
Policy Rule Hit Count
Rule Shadowing
>Security policy administration
Configure a Security Policy Rule: General Tab
Rule Changes Archive
Configure a Security Policy Rule: Source Tab
Configure a Security Policy Rule: Destination Tab
Configure a Security Policy Rule: Application Tab
Unresolved Dependencies Reported During a Commit
Configure a Security Policy Rule: Service/URL Category Tab
Configure a New Service Definition
Configure a Security Policy Rule: Actions Settings
Schedule Security Policy Rules
Configure a Security Policy Rule: Usage Settings
Enable Intrazone and Interzone Logging
Find Unused Security Policy Rules
Rule Usage Filter
Policies > Security > Policy Optimizer > Rule Usage
Create an Address Object
Objects > Addresses > Add
Create a Static Address Group
Objects > Address Groups > Add
Create a Dynamic Address Group
Tags
Objects > Tags > Add
Tag-Based Rule Groups
Test Policy Functionality
Policies > Security
Use Global Find
View the Traffic Log
Monitor > Logs > Traffic
Question
Which two items are required match criteria in a Palo Alto Networks Security policy rule? (Choose two.)
a.source zone
b.destination zone
c.destination address
d.destination port
2.
Which type of Security policy rule is the default rule type?
a.intrazone
b.interzone
c.universal
d.default
3.
Which action in a Security policy rule results in traffic being silently rejected?
a.deny
b.drop
c.reset server
d.reset client
4.
True or false? Logging on intrazone default and interzone default Security policy rules is enabled by
default.
a.true
b.false
1. Logging on intrazone-default and interzone-default Security policy rules is enabled by default.
False
2. NGFW QoS policies can be configured to apply:
data encryption
forwarding for anti-virus screening
either preferential treatment or bandwidth-limiting traffic rules
third party authentication
3. When defining Security policy rules, why should you consider only the c2s flow direction, and define policy rules that allow or deny traffic from the source zone to the destination zone, that is, in the c2s direction?
For traffic that does not match any custom defined rules, all communications are conducted in a separate traffic buffer
The return c2s flow does not require a separate rule because communications are automatically allowed.
Default rules are predefined to allow all interzone traffic (between zones) and deny all intrazone traffic (within a zone).
The return s2c flow does not require a separate rule because the return traffic automatically is allowed
4. Which of the following are NOT traffic attributes or criteria that can be defined in a Security policy rule?
URL Catgegory
Source / Destination zones
Traffic that does not pass through the firewall data plane
Source user
5. Security policy rules on the Next Generation firewall specify a source and a destination interface.
True
6. Traffic going to a public IP address is being translated by a Next Generation firewall to an internal server private IP address. Which IP address should the security policy use as the destination IP in order to allow traffic to the server?
The firewall Management port IP
The server private IP
The server public IP
The firewall gateway IP
7. Which action in a Security policy rule results in traffic being silently rejected?
Deny
Reset Client
Drop
Reset Server
8. Which NGFW security policy rule applies to all matching traffic within the specified source zones?
Universal
Interzone
Intrazone
Default
9. Which type of Security policy rule is the default rule type?
Default
Universal
Intrazone
Interzone
- Log in to post comments
Comments