Understanding Security Rules, Policy Matching, and Profiles in PAN-OS

Overview

Palo Alto Networks firewalls use security policy rules to control traffic. These policies determine whether to allow or block traffic based on several match criteria and apply security profiles for advanced threat inspection. Matching is performed top-down and left-to-right until the first match is found.

Security Policy Rule Matching Criteria

• Source Zone / Destination Zone
• Source Address / Destination Address (Pre-NAT)
• Application (App-ID)
• User (User-ID)
• Service (Port/Protocol)
• URL Category

All criteria must match for a rule to apply. If a match is found, no further rules are evaluated.

Left-to-Right, Top-to-Bottom Evaluation

Security rules are evaluated from the top of the rulebase to the bottom and from left to right in each rule. Specific rules must be placed higher than general ones to take effect properly.

Pre-NAT vs Post-NAT Address Evaluation

Security policies match based on the original (pre-NAT) source and destination addresses. This ensures policies are written from the network’s logical perspective. However, security profiles are applied after NAT processing.

Security Rule Actions

• Allow – permits traffic and optionally applies security profiles.
• Deny – actively denies and logs traffic.
• Drop – silently drops the packet without response to sender.

Security Profiles

Profiles add inspection for threats and application behavior. Attach profiles to Allow rules only:

• Antivirus
• Anti-Spyware
• Vulnerability Protection
• URL Filtering
• WildFire Analysis
• Data Filtering

Universal, Interzone, and Intrazone Rules

• Universal Rule : Applies to both interzone and intrazone traffic. Default type unless specified.
• Interzone Rule : Applies only to traffic between different zones.
• Intrazone Rule : Applies only to traffic within the same zone.

Default policies:

• Intrazone default : Allow
• Interzone default : Deny

Mermaid Flow Diagram: Security Rule Matching

flowchart TD
    A[Packet Enters Firewall] --> B[Match Source/Destination Zones]
    B --> C[Match Pre-NAT Source/Dest IPs]
    C --> D[Match App-ID/User-ID/Service]
    D --> E{Match Found?}
    E -- Yes --> F[Apply Rule Action]
    F --> G{Action == Allow?}
    G -- Yes --> H[Apply Security Profiles]
    G -- No --> I[Drop/Deny Packet]
    E -- No --> J[Evaluate Next Rule]
    J --> C
    

References

• Create a Security Policy Rule
• Apply Security Profiles
• NAT and Security Policy Translation