security policy guidelines-revc

8/11/2019 Security Policy Guidelines-RevC

1/7

Configuring Security Policies

Tech Note

Revision C 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com


2/7

Contents

Overview ................................................................................................................................................................................. 3

Security policy guidelines ......................................................................................................................................................... 3

Topology ................................................................................................................................................................................. 3

Case1: Security Policy using Application and Service application-default ............................................................................. 3

Case2: Security Policy using Application and Service ANY ..................................................................................................... 4

Case3: Implications of deny all Security Policy ........................................................................................................................ 5

Revision History ...................................................................................................................................................................... 7



3/7

Overview

Security policies determine whether to block or allow a new network session based on traffic attributes such as the sourceand destination security zones, the source and destination addresses, and the application and a service. This documentexplains the how the service definition works with application and the best practice for creating security policies.

Security policy guidelines

Security policies on a PAN-OS firewall matches source, destination, application and a service. The application and servicecolumns specify what applications can be identified on a defined set of ports, or on all available ports. The service columnallows administrator to define one of the following

1. Application-default2.

Pre-defined service service-http and service-https3.

Any4. Custom service

Application-defaultThe service application-default sets security policy to allow the application on the standard ports associated with theapplication.Pre-defined service service-http and service-httpsThe pre-defined services use TCP ports 80 and 8080 for HTTP, and TCP port 443 for HTTPS. Use this is security policy ifyou want to restrict web browsing and HTTPS to these portsAnyPredefined service any matches any TCP/UDP port. Use this service to deny applications.Custom ServiceUsers can create their own definition of TCP/UDP port numbers to restrict applications usage to specific ports

Topology

In this document we will refer to the topology shown below for discussing different scenarios of security policyconfiguration. The client also uses NMAP tool to scan the server for open ports.

Note: PAN-OS by default denies traffic that is not permitted by a security policy. The traffic that is denied is not logged bydefault. In the examples below, a security policy to deny and log traffic between any zones is created for illustration. Pleaserefer to the section mplications of deny all Security Policy before creating security policy to deny traffic to and from anyzones.

Case1:Security Policy using Application and Service application

default

Note:Using the service application default is the recommended practice for configuring security policy to allow theapplications.



4/7

In this example we want to allow web browsing to the server on the default port and all other traffic to be denied.

Because of the service application-default in the security policy, web browsing traffic on standard port matching thissecurity policy will be allowed. All other traffic will match the DENY rule and be logged as not-applicable as shown.

Running NMAP scan on the server from the client shows the following services running on the server.

admi n@cl i ent : ~$ nmap - T4 - F 15. 0. 3. 101

St art i ng Nmap 5. 21 ( ht t p: / / nmap. org ) at 2012- 07- 09 15: 29 PDTNmap scan report f or 15. 0. 3. 101Host i s up ( 0. 0024s l at ency) .Not shown: 98 f i l t er ed por t sPORT STATE SERVI CE80/ t cp open ht t p

Nmap done: 1 I P address ( 1 host up) scanned i n 3. 30 seconds

Case2:

Security Policy using Application and Service ANYNote:Use the service any to block applications on all ports.

In this example we create a policy to allow web-browsing with service any to demonstrate the behavior of the securitypolicy. It is recommend to use, service application-default for all policy with allow action.

Because of the service definition of any in the security policy, web browsing on all ports is allowed by the security policy.When the client attempts to connect to the server using application other than web browsing, the traffic will be evaluated

against the first policy until the application is identified. This will be first few packets from the client. Once the application isidentified, and determined as non web browsing traffic, the deny policy will be enforced.If the client establishes a connection with server and does not send sufficient data to identify the application, the sessionwill be logged as incomplete and the connection timeout set to default value- 3600 seconds for TCP and 60 seconds for



5/7

UDP.

Running a NMAP scan from the client shows the following services open on the server.

admi n@cl i ent : ~$ nmap - T4 - F 15. 0. 3. 101

St art i ng Nmap 5. 21 ( ht t p: / / nmap. org ) at 2012- 07- 09 15: 33 PDT

Nmap scan report f or 15. 0. 3. 101Host i s up ( 0. 0019s l at ency) .Not shown: 93 cl osed por t sPORT STATE SERVI CE22/ t cp open ssh37/ t cp f i l t er ed t i me53/ t cp f i l t er ed domai n80/ t cp open ht t p111/ t cp open r pcbi nd515/ t cp f i l t ered pr i nt er2049/ t cp open nf s

Nmap done: 1 I P address ( 1 host up) scanned i n 1. 24 seconds

The results from NMAP scan can be misinterpreted as the client was able connect to server using the above listedapplications. It is important to note that the firewall logs show application incomplete. This is because the NMAP scan doesnot send any application data to the server instead probes the TCP port to see if it is open or close. If any application datawas sent, this will result in application being identified and session denied by the deny rule.

Case3:Implications of deny allSecurity PolicyAny traffic that is not allowed by a security policy is denied by the firewall. However the traffic that is denied is not loggedby the firewall.

admi n@5060> show syst em set t i ng l oggi ng

Max. l oggi ng r ate: 50000 cnt / sMax. packet l oggi ng r ate: 2560 KB/ s

Tr af f i c l og generat i on r at e: 0 cnt / sThreat l og gener at i on r at e: 0 cnt / sLog sent r at e: 50000 cnt / sCur r ent t r af f i c l og count : 0Cur r ent t hr eat l og count : 0Random t r af f i c l og dr op: of fLog suppr essi on: ondef aul t - pol i cy- l oggi ng: of f



6/7

In order to view the traffic that is denied by the firewall, you will have to create a security policy to deny traffic as shownbelow.

It is very important to note that by creating a deny all policy all intra zone traffic, and traffic to firewall itself like IPSec,GlobalProtect, Management traffic using the data plane interfaces will denied. The out-of-band management interfacetraffic is not subject to security policy evaluationBefore creating a deny all security you must create security policies

o

To allow intra zone traffico To allow traffic to the firewall- IKE, IPSec, Global Protect

An example of modified security policy is shown below.



7/7

Revision History

Date Revision Comment

March 11, 2013 C Updated screenshot for CLI Case 3. Also removed reference to 4.1, since this technote can be used for any version of PAN-OS.

December 5, 2012 B Updated with deny all policy

July 30, 2012 A First release of document


security policy guidelines-revc

Documents