Security Policies

Security Policy Fundamental Concepts

Introduction - Firewall 10.0

Lesson 1: Security Policy Fundamental Concepts - Security NAT Policies

Multiple Match Criteria starts with Security policy rules criteria are zones, applications, IP addresses, ports, users, and host information profile (HIP) Profiles. the basic criteria are to allow or deny traffic starting with the source and destination zones, then granular options such as source and destination IP addresses, ports, applications, URL categories, source users, and HIP Profiles.

Sessions and Flows

All traffic passing through the firewall is matched against a session and each session is then matched against a Security policy rule

session is identified by:

  • 1. Source and 2. destination IP address
  • 3. Source and 4. destination port number: For non-UDP/TCP traffic, different protocol fields are used.
  • 5. Protocol
  • 6. Source security zone

Each session is assigned a unique session ID number.

Security policy rules, consider only the c2s flow

Security Policy Rule Types

3 types of zones, within a zones, between zones, or both

Within a ZONE rule would apply to all traffic within Zone IntraZone

Interzone rule applies to all matching traffic between the specified source and destination zones

Universal rule applies to all matching interzone and intrazone traffic in the specified source and destination zones

Implicit and Explicit Rules

By default the firewall implicitly allows intrazone traffic and implicitly denies interzone traffic.

See  intrazone-default and interzone-default at policies>security>Default Rules

Security Policy Match

Rules are evaluated for a match from top to bottom. After a rule match is found, no other rules are evaluated.

Policy rules are unidirectional...allow only traffic that is initiated in the direction that the policy rule specifies.. replies to the client always are allowed

Policy Rule Usage

policy rule usage feature enables you to identify rules that are used frequently and to determine which rules are unused and should be removed

..reset the rule hit count data to validate an existing rule, or to gauge rule use within a given period of time

Rule Shadowing

...Rule A casts a shadow over, or hides, rules Rule B and Rule C say IP address belongs to the Inside zone and the subnet  remove shadowing by reordering..

Policy Rule Auditing

Use comments t0 explain policy rules changes... Audit Comment

Audit Comment Archive

Each Audit Comment that is captured during a commit of policy rules is added to an Audit Comment Archive

Config Logs (between commits) tab shows a detailed change history of the rule and which administrator made the comments

Rules Changes tab can be used to compare any 2 versions of the rule to identify the differences between them


>Security policy fundamental concepts

Like Access Control Lists, Session setup session ID App- ID, content-ID

Basic criteria or Granular criteria

Flow Logic of the Next Generation Firewall

Inspect and Control Network Traffic

Sessions and Flows

Display Security Policy Rules

Manage the Policy Ruleset

Security Policy Rule Types

Custom and Predefined Rules

Security Policy Rule Match

Policy Rule Hit Count

Rule Shadowing


>Security policy administration


Configure a Security Policy Rule: General Tab

Rule Changes Archive

Configure a Security Policy Rule: Source Tab

Configure a Security Policy Rule: Destination Tab

Configure a Security Policy Rule: Application Tab

Unresolved Dependencies Reported During a Commit

Configure a Security Policy Rule: Service/URL Category Tab

Configure a New Service Definition

Configure a Security Policy Rule: Actions Settings

Schedule Security Policy Rules

Configure a Security Policy Rule: Usage Settings

Enable Intrazone and Interzone Logging

Find Unused Security Policy Rules

Rule Usage Filter

Policies > Security > Policy Optimizer > Rule Usage

Create an Address Object

Objects > Addresses > Add

Create a Static Address Group

Objects > Address Groups > Add

Create a Dynamic Address Group


Objects > Tags > Add

Tag-Based Rule Groups

Test Policy Functionality

Policies > Security

Use Global Find

View the Traffic Log

Monitor > Logs > Traffic


Which two items are required match criteria in a Palo Alto Networks Security policy rule? (Choose two.)
a.source zone
b.destination zone
c.destination address
d.destination port
Which type of Security policy rule is the default rule type?
Which action in a Security policy rule results in traffic being silently rejected?
c.reset server
d.reset client
True or false? Logging on intrazone default and interzone default Security policy rules is enabled by

1. Logging on intrazone-default and interzone-default Security policy rules is enabled by default.


2. NGFW QoS policies can be configured to apply:

data encryption

forwarding for anti-virus screening

either preferential treatment or bandwidth-limiting traffic rules

third party authentication

3. When defining Security policy rules, why should you consider only the c2s flow direction, and define policy rules that allow or deny traffic from the source zone to the destination zone, that is, in the c2s direction?

For traffic that does not match any custom defined rules, all communications are conducted in a separate traffic buffer

The return c2s flow does not require a separate rule because communications are automatically allowed.

Default rules are predefined to allow all interzone traffic (between zones) and deny all intrazone traffic (within a zone).

The return s2c flow does not require a separate rule because the return traffic automatically is allowed

4. Which of the following are NOT traffic attributes or criteria that can be defined in a Security policy rule?

URL Catgegory

Source / Destination zones

Traffic that does not pass through the firewall data plane

Source user

5. Security policy rules on the Next Generation firewall specify a source and a destination interface.


6. Traffic going to a public IP address is being translated by a Next Generation firewall to an internal server private IP address. Which IP address should the security policy use as the destination IP in order to allow traffic to the server?

The firewall Management port IP

The server private IP

The server public IP

The firewall gateway IP

7. Which action in a Security policy rule results in traffic being silently rejected?


Reset Client


Reset Server

8. Which NGFW security policy rule applies to all matching traffic within the specified source zones?





9. Which type of Security policy rule is the default rule type?