Configuring Security Policies

Tech Note






Revision C 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com



Contents
Overview ................................................................................................................................................................................. 3
Security policy guidelines ......................................................................................................................................................... 3
Topology ................................................................................................................................................................................. 3
Case1: Security Policy using Application and Service application-default ............................................................................. 3
Case2: Security Policy using Application and Service ANY ..................................................................................................... 4
Case3: Implications of deny all Security Policy ........................................................................................................................ 5
Revision History ...................................................................................................................................................................... 7



Revision C 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com



Overview
Security policies determine whether to block or allow a new network session based on traffic attributes such as the source
and destination security zones, the source and destination addresses, and the application and a service. This document
explains the how the service definition works with application and the best practice for creating security policies.
Security policy guidelines
Security policies on a PAN-OS firewall matches source, destination, application and a service. The application and service
columns specify what applications can be identified on a defined set of ports, or on all available ports. The service column
allows administrator to define one of the following
1. Application-default
2. Pre-defined service service-http and service-https
3. Any
4. Custom service

Application-default
The service application-default sets security policy to allow the application on the standard ports associated with the
application.
Pre-defined service service-http and service-https
The pre-defined services use TCP ports 80 and 8080 for HTTP, and TCP port 443 for HTTPS. Use this is security policy if
you want to restrict web browsing and HTTPS to these ports
Any
Predefined service any matches any TCP/UDP port. Use this service to deny applications.
Custom Service
Users can create their own definition of TCP/UDP port numbers to restrict applications usage to specific ports
Topology
In this document we will refer to the topology shown below for discussing different scenarios of security policy
configuration. The client also uses NMAP tool to scan the server for open ports.


Note: PAN-OS by default denies traffic that is not permitted by a security policy. The traffic that is denied is not logged by
default. In the examples below, a security policy to deny and log traffic between any zones is created for illustration. Please
refer to the section mplications of deny all Security Policy before creating security policy to deny traffic to and from any
zones.

Case1: Security Policy using Application and Service application-
default
Note: Using the service application default is the recommended practice for configuring security policy to allow the
applications.

Revision C 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com



In this example we want to allow web browsing to the server on the default port and all other traffic to be denied.

Because of the service application-default in the security policy, web browsing traffic on standard port matching this
security policy will be allowed. All other traffic will match the DENY rule and be logged as not-applicable as shown.


Running NMAP scan on the server from the client shows the following services running on the server.
admi n@cl i ent : ~$ nmap - T4 - F 15. 0. 3. 101

St ar t i ng Nmap 5. 21 ( ht t p: / / nmap. or g ) at 2012- 07- 09 15: 29 PDT
Nmap scan r epor t f or 15. 0. 3. 101
Host i s up ( 0. 0024s l at ency) .
Not shown: 98 f i l t er ed por t s
PORT STATE SERVI CE
80/ t cp open ht t p

Nmap done: 1 I P addr ess ( 1 host up) scanned i n 3. 30 seconds
Case2: Security Policy using Application and Service ANY
Note: Use the service any to block applications on all ports.
In this example we create a policy to allow web-browsing with service any to demonstrate the behavior of the security
policy. It is recommend to use, service application-default for all policy with allow action.


Because of the service definition of any in the security policy, web browsing on all ports is allowed by the security policy.
When the client attempts to connect to the server using application other than web browsing, the traffic will be evaluated
against the first policy until the application is identified. This will be first few packets from the client. Once the application is
identified, and determined as non web browsing traffic, the deny policy will be enforced.
If the client establishes a connection with server and does not send sufficient data to identify the application, the session
will be logged as incomplete and the connection timeout set to default value- 3600 seconds for TCP and 60 seconds for

Revision C 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com



UDP.

Running a NMAP scan from the client shows the following services open on the server.
admi n@cl i ent : ~$ nmap - T4 - F 15. 0. 3. 101

St ar t i ng Nmap 5. 21 ( ht t p: / / nmap. or g ) at 2012- 07- 09 15: 33 PDT
Nmap scan r epor t f or 15. 0. 3. 101
Host i s up ( 0. 0019s l at ency) .
Not shown: 93 cl osed por t s
PORT STATE SERVI CE
22/ t cp open ssh
37/ t cp f i l t er ed t i me
53/ t cp f i l t er ed domai n
80/ t cp open ht t p
111/ t cp open r pcbi nd
515/ t cp f i l t er ed pr i nt er
2049/ t cp open nf s

Nmap done: 1 I P addr ess ( 1 host up) scanned i n 1. 24 seconds
The results from NMAP scan can be misinterpreted as the client was able connect to server using the above listed
applications. It is important to note that the firewall logs show application incomplete. This is because the NMAP scan does
not send any application data to the server instead probes the TCP port to see if it is open or close. If any application data
was sent, this will result in application being identified and session denied by the deny rule.
Case3: Implications of deny all Security Policy
Any traffic that is not allowed by a security policy is denied by the firewall. However the traffic that is denied is not logged
by the firewall.

admi n@5060> show syst emset t i ng l oggi ng

Max. l oggi ng r at e: 50000 cnt / s
Max. packet l oggi ng r at e: 2560 KB/ s
Tr af f i c l og gener at i on r at e: 0 cnt / s
Thr eat l og gener at i on r at e: 0 cnt / s
Log sent r at e: 50000 cnt / s
Cur r ent t r af f i c l og count : 0
Cur r ent t hr eat l og count : 0
Randomt r af f i c l og dr op: of f
Log suppr essi on: on
def aul t - pol i cy- l oggi ng: of f

Revision C 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com






In order to view the traffic that is denied by the firewall, you will have to create a security policy to deny traffic as shown
below.


It is very important to note that by creating a deny all policy all intra zone traffic, and traffic to firewall itself like IPSec,
GlobalProtect, Management traffic using the data plane interfaces will denied. The out-of-band management interface
traffic is not subject to security policy evaluation
Before creating a deny all security you must create security policies
o To allow intra zone traffic
o To allow traffic to the firewall- IKE, IPSec, Global Protect

An example of modified security policy is shown below.











Revision C 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com



Revision History
Date Revision Comment
March 11, 2013 C Updated screenshot for CLI Case 3. Also removed reference to 4.1, since this tech
note can be used for any version of PAN-OS.
December 5, 2012 B Updated with deny all policy
July 30, 2012

A First release of document


























Revision C 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com