Professional Documents
Culture Documents
Security Policy
Version 10.1
docs.paloaltonetworks.com
Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support.html
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
©2021–2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve
companies.
Last Revised
September 15, 2021
Internet Gateway Best Pracce Security Policy Version Version 2 ©2022 Palo Alto Networks, Inc.
10.1
Table of Contents
Best Pracce Internet Gateway Security Policy.........................................5
What Is a Best Pracce Internet Gateway Security Policy?.............................................. 6
Why Do I Need a Best Pracce Internet Gateway Security Policy?................................9
How Do I Deploy a Best Pracce Internet Gateway Security Policy?.......................... 10
Idenfy Your Applicaon Allow List..................................................................................... 12
Map Applicaons to Business Goals for a Simplified Rulebase.......................... 12
Use Temporary Rules to Tune the Allow List.......................................................... 13
Applicaon Allow List Example..................................................................................13
Create User Groups for Access to Allowed Applicaons................................................ 16
Decrypt Traffic for Full Visibility and Threat Inspecon.................................................. 17
Transion Safely to Best Pracce Security Profiles.......................................................... 20
Transion Vulnerability Protecon Profiles Safely to Best Pracces................. 21
Transion An-Spyware Profiles Safely to Best Pracces................................... 23
Transion Anvirus Profiles Safely to Best Pracces............................................24
Transion WildFire Profiles Safely to Best Pracces............................................ 25
Transion URL Filtering Profiles Safely to Best Pracces.................................... 25
Transion File Blocking Profiles Safely to Best Pracces.....................................26
Create Best Pracce Security Profiles for the Internet Gateway...................................27
Best Pracce Internet Gateway File Blocking Profile........................................... 27
Best Pracce Internet Gateway Anvirus Profile.................................................. 28
Best Pracce Internet Gateway Vulnerability Protecon Profile........................29
Best Pracce Internet Gateway An-Spyware Profile.......................................... 30
Best Pracce Internet Gateway URL Filtering Profile...........................................32
Best Pracce Internet Gateway WildFire Analysis Profile................................... 35
Define the Inial Internet Gateway Security Policy..........................................................37
Step 1: Create Rules Based on Trusted Threat Intelligence Sources..................37
Step 2: Create the Applicaon Allow Rules............................................................ 40
Step 3: Create the Applicaon Block Rules.............................................................45
Step 4: Create the Temporary Tuning Rules............................................................47
Step 5: Enable Logging for Traffic that Doesn’t Match Any Rules......................49
Monitor and Fine Tune the Policy Rulebase.......................................................................50
Remove the Temporary Rules................................................................................................ 52
Maintain the Rulebase..............................................................................................................53
Internet Gateway Best Pracce Security Policy Version Version 3 ©2022 Palo Alto Networks, Inc.
10.1
Table of Contents
Internet Gateway Best Pracce Security Policy Version Version 4 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway
Security Policy
One of the cheapest and easiest ways for an aacker to gain access to your network
is through users accessing the internet. By successfully exploing an endpoint, an
aacker can take hold in your network and begin to move laterally towards the end
goal, whether that is to steal your source code, exfiltrate your customer data, or take
down your infrastructure. To protect your network from cyberaack and improve your
overall security posture, implement a best pracce internet gateway security policy.
A best pracce policy allows you to safely enable applicaons, users, and content by
classifying all traffic, across all ports, all the me.
The following topics describe the overall process for deploying a best pracce internet
gateway security policy and provide detailed instrucons for creang it.
> What Is a Best Pracce Internet > Transion Safely to Best Pracce
Gateway Security Policy? Security Profiles
> Why Do I Need a Best Pracce > Create Best Pracce Security Profiles
Internet Gateway Security Policy? > Define the Inial Internet Gateway
> How Do I Deploy a Best Pracce Security Policy
Internet Gateway Security Policy? > Monitor and Fine Tune the Policy
> Idenfy Your Applicaon Allow List Rulebase
> Create User Groups for Access to > Remove the Temporary Rules
Allowed Applicaons > Maintain the Rulebase
> Decrypt Traffic for Full Visibility and
Threat Inspecon
5
Best Pracce Internet Gateway Security Policy
The best pracce policy is based on the following methodologies. The best pracce
methodologies ensure detecon and prevenon at mulple stages of the aack life cycle.
Inspect All Traffic for Because you cannot protect against threats you cannot see, you
Visibility must make sure you have full visibility into all traffic across all users
and applicaons all the me. To accomplish this:
Internet Gateway Best Pracce Security Policy Version Version 6 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Reduce the Aack Aer you have context into the traffic on your network—
Surface applicaons, their associated content, and the users who are
accessing them—create applicaon-based Security policy rules
to allow those applicaons that are crical to your business and
addional rules to block all high-risk applicaons that have no
legimate use case.
To further reduce your aack surface, enable aach File Blocking
and URL Filtering profiles to all rules that allow applicaon traffic
to prevent users from vising threat-prone web sites and prevent
them from uploading or downloading dangerous file types (either
knowingly or unknowingly). To prevent aackers from execung
successful phishing aacks (the cheapest and easiest way for them
to make their way into your network), configure credenal phishing
prevenon.
Prevent Known Threats Enable the firewall to scan all allowed traffic for known threats
by aaching security profiles to all allow rules to detect and
block network and applicaon layer vulnerability exploits, buffer
overflows, DoS aacks, and port scans, known malware variants,
(including those hidden within compressed files or compressed
HTTP/HTTPS traffic). To enable inspecon of encrypted traffic,
enable decrypon.
Internet Gateway Best Pracce Security Policy Version Version 7 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Detect Unknown Forward all unknown files to WildFire for analysis. WildFire
Threats idenfies unknown or targeted malware (also called advanced
persistent threats or APTs) hidden within files by directly observing
and execung unknown files in a virtualized sandbox environment
in the cloud or on the WildFire appliance. WildFire monitors
more than 250 malicious behaviors and, if it finds malware, it
automacally develops a signature and delivers it to you in as lile
as five minutes (and now that unknown threat is a known threat).
Internet Gateway Best Pracce Security Policy Version Version 8 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Internet Gateway Best Pracce Security Policy Version Version 9 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Internet Gateway Best Pracce Security Policy Version Version 10 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
TLS encrypon to silently download an exploit or malware to site visitors. If you do not decrypt
traffic for visibility and threat inspecon, you leave open a huge aack surface.
Create Best Pracce Security Profiles for the Internet Gateway—Command and control traffic,
CVEs, drive-by downloads of malicious content, phishing aacks, APTs are all delivered via
legimate applicaons. To protect against known and unknown threats, you must aach
stringent security profiles to all Security policy allow rules.
Define the Inial Internet Gateway Security Policy—Using the applicaon and user group
inventory you conducted, you can define an inial policy that allows access to all of the
applicaons you want to allow by user or user group. The inial policy rulebase you create
must also include rules for blocking known malicious IP addresses, as well as temporary rules
to prevent other applicaons you might not have known about from breaking and to idenfy
policy gaps and security holes in your exisng design.
Monitor and Fine Tune the Policy Rulebase—Aer the temporary rules are in place, you can
begin monitoring traffic that matches to them so that you can fine tune your policy. Because
the temporary rules are designed to uncover unexpected traffic on the network, such as
traffic running on non-default ports or traffic from unknown users, you must assess the traffic
matching these rules and adjust your applicaon allow rules accordingly.
Remove the Temporary Rules—Aer a monitoring period of several months, you should see less
and less traffic hing the temporary rules. When you reach the point where traffic no longer
hits the temporary rules, you can remove them to complete your best pracce internet gateway
security policy.
Maintain the Rulebase—Due to the dynamic nature of applicaons, you must connually
monitor your applicaon allow list and adapt your rules to accommodate new applicaons
that you decide to sancon as well to determine how new or modified App-IDs impact your
policy. Because the rules in a best pracce rulebase align with your business goals and leverage
policy objects for simplified administraon, adding support for a new sanconed applicaon or
new or modified App-ID oenmes is as simple as adding or removing an applicaon from an
applicaon group or modifying an applicaon filter.
Internet Gateway Best Pracce Security Policy Version Version 11 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Tag all sanconed applicaons with the predefined Sanconed tag. Panorama
and firewalls consider applicaons without the Sanconed tag as unsanconed
applicaons.
• Create applicaon filters to allow each type of general applicaon—Besides the applicaons
you officially sanconed, you will also need to decide what addional applicaons you want to
allow your users to access. Applicaon filters allow you to safely enable certain categories of
applicaons using applicaon filters (based on category, subcategory, technology, risk factor, or
characterisc). Separate the different types of applicaons based on business and personal use.
Create separate filters for each type of applicaon to make it easier to understand each policy
rule at a glance.
Internet Gateway Best Pracce Security Policy Version Version 12 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
If you have exisng Applicaon Override policies that you created solely to define custom
session meouts for a set a of ports, convert the exisng Applicaon Override policies to
applicaon-based policies by configuring service-based session meouts to maintain the
custom meout for each applicaon and then migrang the rule the an applicaon-based
rule. Applicaon Override policies are port-based. When you use Applicaon Override
policies to maintain custom session meouts for a set of ports, you lose applicaon
visibility into those flows, so you neither know nor control which applicaons use the
ports. Service-based session meouts achieve custom meouts while also maintaining
applicaon visibility.
Internet Gateway Best Pracce Security Policy Version Version 13 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
SaaS Applicaons SaaS applicaon service providers own and manage the soware and
infrastructure, but you retain full control of the data, including who can
create, access, share, and transfer it.
Generate a SaaS applicaons usage report to check if SaaS applicaons
currently in use have unfavorable hosng characteriscs such as past
data breaches or lack of proper cerficaons. Based on business needs
and the amount of risk you’re willing to accept, use the informaon to:
• Block exisng applicaons with unfavorable hosng characteriscs
immediately.
• Create granular policies that block applicaons with unfavorable
hosng characteriscs to prevent future violaons.
• Idenfy network traffic trends of the top applicaons that have
unfavorable hosng characteriscs so you can adjust policy
accordingly.
Internet Gateway Best Pracce Security Policy Version Version 14 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
General Types of Besides the applicaons you officially sancon and deploy, you will also
Applicaons want to allow your users to safely use other types of applicaons:
• General Business Applicaons—For example, allow access to soware
updates, and web services, such as WebEx, Adobe online services,
and Evernote.
• Personal Applicaons—For example, you may want to allow your
users to browse the web or safely use web-based mail, instant
messaging, or social networking applicaons, including consumer
versions of some SaaS applicaons.
Begin with wide applicaon filters to gain an understanding of what
applicaons are in use on your network. You can then decide how much
risk you are willing to assume and begin to pare down the applicaon
allow list. For example, suppose mulple messaging applicaons are in
use, each with the inherent risk of data leakage, transfer of malware-
infected files, etc. The best approach is to officially sancon a single
messaging applicaon and then begin to phase out the others by slowly
transioning from an allow policy to an alert policy, and finally, aer
giving users ample warning, a block policy for all messaging applicaons
except the one you choose to sancon. In this case, you might also
choose to enable a small group of users to connue using an addional
messaging applicaon as needed to perform job funcons with partners.
Internet Gateway Best Pracce Security Policy Version Version 15 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Internet Gateway Best Pracce Security Policy Version Version 16 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Block sessions if resources not available prevents allowing potenally dangerous connecons
but may affect the user experience.
Internet Gateway Best Pracce Security Policy Version Version 17 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
STEP 2 | Configure the SSL Decrypon > SSL Protocol Sengs to block use of vulnerable SSL/TLS
versions (TLSv1.0, TLSv1.1, and SSLv3) and to avoid weak algorithms (MD5, RC4, and 3DES):
Use TLSv1.3 (the most secure protocol) when you can. Be aware that many mobile applicaons
use cerficate pinning that prevents decrypon and causes the firewall to drop traffic, so for
that traffic, be sure to use TLSv1.2.
Review the sites you need to access for business purposes. If any of them use TLSv1.1, then
create a separate Decrypon policy and profile for those sites so that only those sites you
require for business can use the less secure protocol.
The same is true about the SHA1 authencaon algorithm—if you can use the more secure
algorithm such as SHA256 or SHA384, do it. If only a few sites that you need for business
purposes use SHA1, create a separate Decrypon policy and profile for them.
Internet Gateway Best Pracce Security Policy Version Version 18 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
STEP 3 | For traffic that you are not decrypng, configure the No Decrypon sengs to block
encrypted sessions to sites with expired cerficates or untrusted issuers:
Only use a No Decrypon profile for TLSv1.2 and earlier versions. Do not aach a
No Decrypon profile to TLSv1.3 traffic that you don’t decrypt. TLSv1.3 encrypts
cerficate informaon that was not encrypted in previous versions, so the firewall
cannot block sessions based on cerficate informaon.
Internet Gateway Best Pracce Security Policy Version Version 19 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
The majority of “false posives” are aempted aacks against a vulnerability that
doesn’t exist in your network. The aack is real, but the danger is not because the
vulnerability isn’t present, so the aack is oen seen as a false posive. Brute Force
aack signatures can also cause false posives if the aack threshold is set too low.
Consider your current security posture in combinaon with the guidance for each type of Security
profile to decide how to deploy the profiles inially and then move to the best pracce guidance.
• Transion Vulnerability Protecon Profiles Safely to Best Pracces
Internet Gateway Best Pracce Security Policy Version Version 20 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
• False posive rates for crical and high severity signatures are typically low and usually indicate
an aack against a vulnerability that doesn’t exist on your network. For applicaons that aren’t
crical to your business, such as internet access, block crical and high severity signatures from
the start.
• Medium severity signatures may generate false posives and require inial monitoring. Start by
alerng on medium severity signatures and monitor the Threat logs (Monitor > Logs > Threat)
to see if you can block applicaons for which you receive alerts or if you need to allow them.
Internet Gateway Best Pracce Security Policy Version Version 21 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
• Set signatures in the brute-force category inially to alert and then fine-tune them to your
environment before transioning to blocking them.
• The default acon for most low and informaonal severity signatures is alert or allow. Unless
you have a specific need to alert on all low and informaonal signatures, configure the default
acon from the start.
• For business-crical applicaons, it’s usually best to set the inial acon to alert to ensure
applicaon availability. However, in some situaons you can use the block acon from the start.
For example, when you’re already protecng similar applicaons with a Vulnerability Protecon
profile that blocks on vulnerability signatures, and you’re confident the profile meets your
business and security needs, you can use a similar profile to block vulnerabilies and protect
the similar applicaons.
The alert acon enables you to analyze Threat logs and create excepons when
necessary before moving to a block acon. Alerng and monitoring before moving to
blocking gives you confidence the profile won’t block business-crical applicaons
when you deploy the inial profile and that you’ll maintain applicaon availability by
creang necessary excepons as you transion to the best pracce blocking state.
Keep the length of me you maintain the inial alert acon to a minimum to reduce
the chance of a security breach. Transion to the best pracce state as soon as you’re
comfortable you’ve idenfied any excepons you need to make and configure the
profile accordingly.
Enable extended packet capture for crical, high, and medium severity signatures. Enable single
packet capture for low and informaonal severity signatures. Enabling packet capture allows
you to invesgate events in greater detail if necessary. As you move to best pracce profiles,
if informaonal events create too much packet capture acvity (too large a volume of traffic)
Internet Gateway Best Pracce Security Policy Version Version 22 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
and the informaon isn’t parcularly useful, you can transion to disabling packet capture on
informaonal events.
When you have the inial profiles in place, monitor the Threat logs for enough me to gain
confidence you understand whether any business-crical applicaons cause alerts or blocks.
Create excepons (open a support cket if necessary) in each profile as needed to remediate any
confirmed false posives before you implement full best-pracce Vulnerability Protecon profiles
for the internet gateway or for the data center.
• False posive rates for crical and high severity signatures are typically low. For applicaons
that aren’t crical to your business, such as internet access, block crical and high severity
signatures from the start.
• Medium severity signatures may generate false posives and require inial monitoring. Start by
alerng on medium severity signatures and monitor the Threat logs (Monitor > Logs > Threat)
to see if you can block applicaons for which you receive alerts or if you need to allow them.
• Set the acon for DNS signatures (default-paloalto-dns) to sinkhole to idenfy potenally
compromised hosts that aempt to access suspicious domains by tracking the hosts and
prevenng them from accessing those domains. (This is the best pracce configuraon and you
should configure DNS sinkhole right away.)
• The default acon for most low and informaonal severity signatures is alert or allow. Unless
you have a specific need to alert on all low and informaonal signatures, configure the default
acon from the start.
• For business-crical applicaons, it’s usually best to set the inial acon to alert to ensure
applicaon availability. However, in some situaons you can use the block acon from the start.
For example, when you’re already protecng similar applicaons with an An-Spyware profile
Internet Gateway Best Pracce Security Policy Version Version 23 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
that blocks crical, high, and/or medium signatures, and you’re confident the profile meets
your business and security needs, you can use a similar profile to block spyware and protect the
similar applicaons.
The alert acon enables you to analyze Threat logs and create excepons when
necessary before moving to a block acon. Alerng and monitoring before moving to
blocking gives you confidence the profile won’t block business-crical applicaons
when you deploy the inial profile and that you’ll maintain applicaon availability by
creang necessary excepons as you transion to the best pracce blocking state.
Keep the length of me you maintain the inial alert acon to a minimum to reduce
the chance of a security breach. Transion to the best pracce state as soon as you’re
comfortable you’ve idenfied any excepons you need to make and configure the
profile accordingly.
Enable single packet capture for all severity signatures. Enabling packet capture allows you to
invesgate events in greater detail if necessary. As you move to best pracce profiles, if low and
informaonal events create too much packet capture acvity (too large a volume of traffic) and
the informaon isn’t parcularly useful, you can transion to disabling packet capture on these
severies.
When you have the inial profiles in place, monitor the Threat logs for enough me to gain
confidence you understand whether any business-crical applicaons cause alerts or blocks.
Create excepons (open a support cket if necessary) in each profile as needed to remediate any
confirmed false posives before you implement full best-pracce An-Spyware profiles for the
internet gateway or for the data center.
• It’s safe to deploy the best pracce Anvirus profiles for applicaons that aren’t crical to your
business right away because false posive rates are rare.
• For business-crical applicaons, it’s usually best to set the inial acon to alert to ensure
applicaon availability. However, in some situaons you can block Anvirus signatures from the
start. For example, when you’re already protecng similar applicaons with an Anvirus profile
and you’re confident the profile meets your business and security needs, you can use a similar
profile to protect similar applicaons.
The alert acon enables you to analyze Threat logs (Monitor > Logs > Threat) and
create excepons when necessary before moving to a block acon. Alerng and
monitoring before moving to blocking gives you confidence the profile won’t block
business-crical applicaons when you deploy the inial profile and that you’ll
maintain applicaon availability by creang necessary excepons as you transion to
the best pracce blocking state. Keep the length of me you maintain the inial alert
acon to a minimum to reduce the chance of a security breach. Transion to the best
pracce state as soon as you’re comfortable you’ve idenfied any excepons you need
to make and configure the profile accordingly.
Internet Gateway Best Pracce Security Policy Version Version 24 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
• WildFire Acon sengs in the Anvirus profile may impact traffic if the traffic generates a
WildFire signature that results in a reset or drop acon.
When you have the inial profiles in place, monitor the Threat logs for enough me to gain
confidence you understand whether any business-crical applicaons cause alerts or blocks.
Also monitor the WildFire Submissions logs (Monitor > Logs > WildFire Submissions) for enough
me to gain confidence you understand whether any business-crical applicaons cause alerts
or blocks due to the Anvirus profile WildFire Acon. Create excepons (open a support cket
if necessary) in each profile as needed to remediate any confirmed false posives before you
implement full best-pracce Anvirus profiles for the internet gateway or for the data center.
PAN-OS includes basic WildFire service, which enables forwarding portable executable
(PE) files for WildFire analysis and retrieving WildFire signatures with anvirus or Threat
Prevenon updates every 24-48 hours. A WildFire subscripon includes many more
features, such as receiving updates every five minutes, support for more file types, and an
API.
• WildFire signature generaon is highly accurate and false posives are rare. Deploying the best
pracce WildFire Analysis profile from the start does not impact network traffic. However,
WildFire Acon sengs in the Anvirus profile may impact traffic if the traffic generates a
WildFire signature that results in a reset or drop acon.
• Exclude internal traffic such as soware distribuon applicaons if you deploy custom-built
programs through these applicaons because WildFire may idenfy custom-built programs as
malicious and generate a signature for them.
The default WildFire Analysis profile is the recommended best pracce profile, including at the
internet gateway and in the data center.
When you have the inial profiles in place, monitor the WildFire Submissions logs (Monitor
> Logs > WildFire Submissions) for enough me to gain confidence you understand whether
any business-crical applicaons cause alerts or blocks due to the Anvirus profile WildFire
Acon. Create excepons (open a support cket if necessary) in the Anvirus profile as needed to
remediate any confirmed false posives.
• The pre-defined URL categories are very accurate, so it’s safe to implement URL Filtering
profiles with category acons configured according to your company policy for allowing or
denying access to different types of sites.
Internet Gateway Best Pracce Security Policy Version Version 25 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
• Block known-bad URL categories from the start, including malware, command-and-control,
copyright-infringement, extremism, phishing, and proxy-avoidance-and-anonymizers.
• For the URL categories dynamic-dns (these sites are oen used to deliver malware payloads
or command-and-control traffic), unknown (sites PAN-DB has not yet idenfied), parked (oen
used for credenal phishing), grayware (malicious or quesonable), and newly-registered-
domain (oen used for malicious acvity), it’s best to alert inially so you can monitor the URL
Filtering logs (Monitor > Logs > URL Filtering) in case legimate websites trigger alerts before
you move to the best pracce of blocking these categories.
• Configure the security-focused high-risk and medium-risk based URL categories to alert (this
is the default acon). Monitor the URL Filtering logs to see if you want to allow access to the
sites these categories control, if you want to block these categories completely, or if you want
to allow access to some sites and block the rest.
When you have the inial profiles in place, monitor the URL Filtering logs for enough me to gain
confidence you understand whether any business-crical sites will be blocked if you transion
from alerng to blocking and to best pracce URL Filtering profiles. If you believe a given URL
isn’t categorized correctly, request URL recategorizaon to have the URL placed in the correct
category.
Internet Gateway Best Pracce Security Policy Version Version 26 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Consider adding the best pracce security profiles to a default security profile group so
that it will automacally aach to any new Security policy rules you create.
In some cases, the need to support crical applicaons may prevent you from blocking
all of the strict profile’s file types. Follow the Transion File Blocking Profiles Safely
to Best Pracces advice to help determine whether you need to make excepons in
different areas of the network. Review the data filtering logs (Monitor > Logs > Data
Filtering) to idenfy file types and talk with business stakeholders about the file types their
applicaons require. Based on this informaon, if necessary, clone the strict profile and
modify it as needed to allow only the other file type(s) that you need to support the crical
applicaons. You can also use the Direcon seng to restrict files types from flowing in
both direcons or block files in one direcon but not in the other direcon.
Internet Gateway Best Pracce Security Policy Version Version 27 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
What if I can’t block all of the file types covered in the predefined strict profile?
If you have mission-crical applicaons that prevent you from blocking all of the file types
included in the predefined strict profile, you can clone the profile and modify it for those users
who must transfer a file type covered by the predefined profile. If you choose not to block all
PE files per the recommendaon, make sure you send all unknown files to WildFire for analysis.
Addionally, set the Acon to connue to prevent drive-by downloads, which is when an end
user downloads content that installs malicious files, such as Java applets or executables, without
knowing they are doing it. Drive-by downloads can occur when users visit web sites, view email
messages, or click into pop-up windows meant to deceive them. Educate your users that if they
are prompted to connue with a file transfer they didn’t knowingly iniate, they may be subject to
a malicious download. In addion, using file blocking in conjuncon with URL filtering to limit the
categories in which users can transfer files is another good way to reduce the aack surface when
you find it necessary to allow file types that may carry threats.
Internet Gateway Best Pracce Security Policy Version Version 28 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Internet Gateway Best Pracce Security Policy Version Version 29 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Internet Gateway Best Pracce Security Policy Version Version 30 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Allow traffic only to sanconed DNS servers. Use the DNS Security service to prevent
connecons to malicious DNS servers.
Don’t enable PCAP for informaonal acvity because it generates a relavely high volume of that
traffic and it’s not parcularly useful compared to potenal threats. Apply extended PCAP (as
opposed to single PCAP) to high-value traffic to which you apply the alert Acon. Apply PCAP
using the same logic you use to decide what traffic to log—take PCAPs of the traffic you log. Apply
single PCAP to traffic you block. The default number of packets that extended PCAP records and
sends to the management plane is five packets, which is the recommended value. In most cases,
capturing five packets provides enough informaon to analyze the threat. If too much PCAP traffic
is sent to the management plane, then capturing more than five packets may result in dropping
PCAPs.
Configure your DNS Policies to protect your network from DNS queries to malicious domains. You
can configure your an-spyware profile to use locally available, downloadable DNS signature sets
(packaged with the anvirus and WildFire updates) or, oponally, access DNS Security, a cloud-
based service that provides real-me access to DNS signatures and protecons against advanced
threats. These are configurable as individual signature sources; addionally, DNS Security allows
you to configure each domain category separately. It is a best pracce to override the default
sengs and to reconfigure each category with a log severity, policy acon, and packet capture
seng that reflects the risks associated with a given domain type.
Using the sinkhole seng idenfies potenally compromised hosts that aempt to access
suspicious domains by tracking the hosts and prevenng them from accessing those domains.
Palo Alto Networks recommends using the sinkhole policy acon instead of block to maintain
opmum protecon while providing a mechanism to assist in idenfying compromised endpoints.
For domain categories that pose a greater threat, a higher log severity level and/or packet
capture sengs are used. This can help determine if the aack was successful, identy the aack
methods, and provide beer overall context.
Configure the DNS signature source categories using the sengs described below:
Internet Gateway Best Pracce Security Policy Version Version 31 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
DNS Security
For more informaon about the DNS signature source categories, see DNS Security
Analycs.
If you have a business purpose for a dynamic DNS domain, then make sure you allow
those URLs in your URL Filtering profile.
Internet Gateway Best Pracce Security Policy Version Version 32 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
In addion to blocking known bad categories, alert on all other categories so you have visibility
into the sites your users are vising. If you need to phase in a block policy, set categories to
connue and create a custom response page to educate users about your acceptable use policies
and alert them to the fact they are vising a site that may pose a threat. This paves the way for
you to outright block the categories aer a monitoring period.
If you are running PAN-OS 9.0.4 or later, ensure that the firewall handles user web requests
as securely as possible by enabling the opon to hold client requests (enter config then set
deviceconfig setting ctd hold-client-request yes). By default, the firewall
allows requests while it looks up an uncached URL category in PAN-DB and then enforces the
appropriate policy when the server responds. Maximize security by opng to hold requests during
this lookup. For details, see Configure URL Filtering.
Internet Gateway Best Pracce Security Policy Version Version 33 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
• unknown—Sites that have not yet been idenfied by PAN-DB. If availability is crical to your
business and you must allow the traffic, alert on unknown sites, apply the best pracce Security
profiles to the traffic, and invesgate the alerts.
PAN-DB Real-Time Updates learns unknown sites aer the first aempt to access an
unknown site, so unknown URLs are idenfied quickly and become known URLs that
the firewall can then handle based on the actual URL category.
• newly-registered-domain—Newly registered domains are oen generated purposely or by
domain generaon algorithms and used for malicious acvity.
• command-and-control—Command-and-control URLs and domains used by malware and/or
compromised systems to surrepously communicate with an aacker's remote server to
receive malicious commands or exfiltrate data.
• copyright-infringement—Domains with illegal content, such as content that allows illegal
download of soware or other intellectual property, which poses a potenal liability risk. This
category was introduced to enable adherence to child protecon laws required in the educaon
industry as well as laws in countries that require internet providers to prevent users from
sharing copyrighted material through their service.
• extremism—Websites promong terrorism, racism, fascism, or other extremist views
discriminang against people or groups of different ethnic backgrounds, religions or other
beliefs. This category was introduced to enable adherence to child protecon laws required in
the educaon industry. In some regions, laws and regulaons may prohibit allowing access to
extremist sites, and allowing access may pose a liability risk.
• proxy-avoidance-and-anonymizers—URLs and services oen used to bypass content filtering
products.
• grayware—Websites and services that do not meet the definion of a virus but are malicious or
quesonable and may degrade device performance and cause security risks. Prior to Content
release version 8206, the firewall placed grayware in either the malware or quesonable URL
category. If you are unsure about whether to block grayware, start by alerng on grayware,
invesgate the alerts, and then decide whether to block grayware or connue to alert on
grayware.
• parked—Domains registered by individuals, oenmes later found to be used for
credenal phishing. These domains may be similar to legimate domains, for example,
pal0alto0netw0rks.com, with the intent of phishing for credenals or personal idenfy
informaon. Or, they may be domains that an individual purchases rights to in hopes that it
may be valuable someday, such as panw.net.
The default URL Filtering profile blocks the malware, phishing, and command-and-
control URL categories, but not the rest of the categories recommended to block as
a best pracce. The default URL Filtering profile also blocks the abused-drugs, adult,
gambling, hacking, quesonable, and weapons URL categories. Whether to block these
URL categories depends on your business requirements. For example, a university probably
won’t restrict student access to most of these sites because availability is important, but a
business that values security first may block some or all of them.
Internet Gateway Best Pracce Security Policy Version Version 34 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
or allowing enre URL categories. Use the URL Filtering safe transion steps to evaluate what
sites you want to allow and what sites you want to block, then use the power of the Palo Alto
Networks plaorm to implement policies that fit your business requirements. For example, you
can:
• Use risk-based URL categories (high-risk, medium-risk, and low-risk) to simplify policy. If
(aer monitoring the traffic) you determine that you can block high-risk and/or medium-risk
categories completely, you can quickly and simply ghten security. This enables you to control
large numbers of potenally risky sites with one policy.
• Use risk-based URL categories to simplify decrypon. If you determine that you can decrypt
the sites in the high-risk and/or medium-risk categories, instead of creang decrypon rules for
many different applicaons, you can decrypt these risk categories in one simple rule.
• Log all user agents and referrers, all URLs, and all file downloads for high-risk and medium-risk
category domains to increase visibility.
• Allow access to categories such as personal-sites-and-blogs while applying a File Blocking
profile to the traffic to prevent downloading risky content such as .exe, .scr, and other
potenally malicious files.
• If you can’t block high-risk and/or medium-risk categories, apply a File Blocking profile to
prevent downloading risky files.
• Allow all finance sites and use the predefined Palo Alto Networks - Bulletproof IP addresses
EDL to prevent access to sites hosted on Bulletproof ISPs.
• Allow newly registered domains (if your business requires it) and automacally decrypt those
sites and inspect the traffic. This method of applying decrypon to enre categories works for
any URL category you need to allow but that may pose risk.
• Use combinaons of URL categories to simplify policy.
Internet Gateway Best Pracce Security Policy Version Version 35 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Set up alerts for malware through email, SNMP, or a syslog server so that the firewall immediately
nofies you when it encounters a potenal issue. The faster you isolate a compromised host, the
lower the chance that the previously unknown malware has spread to other data center devices,
and the easier it is to remediate the issue.
If necessary, you can restrict the applicaons and file types sent for analysis based on the traffic’s
direcon.
WildFire Acon sengs in the Anvirus profile may impact traffic if the traffic generates
a WildFire signature that results in a reset or a drop acon. You can exclude internal
traffic such as soware distribuon applicaons through which you deploy custom-built
programs to transion safely to best pracces, because WildFire may idenfy custom-
built programs as malicious and generate a signature for them. Check Monitor > Logs
> WildFire Submissions to see if any internal custom-built programs trigger WildFire
signatures.
Internet Gateway Best Pracce Security Policy Version Version 36 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
To apply consistent security policy across mulple locaons, you can reuse templates
and template stacks so that the same policies apply to every internet gateway firewall
at every locaon. The templates use variables to apply device-specific values such as
IP addresses, FQDNs, etc., while maintaining a global security policy and reducing the
number of templates and template stacks you need to manage.
The following topics describe how to create the inial rulebase and describe why each rule is
necessary and what the risks are of not following the best pracce recommendaon:
• Step 1: Create Rules Based on Trusted Threat Intelligence Sources
• Step 2: Create the Applicaon Allow Rules
• Step 3: Create the Applicaon Block Rules
• Step 4: Create the Temporary Tuning Rules
• Step 5: Enable Logging for Traffic that Doesn’t Match Any Rules
This rule protects you against IP addresses • One rule blocks outbound traffic to known
that Palo Alto Networks has proven to malicious IP addresses, while another rule
be used almost exclusively to distribute blocks inbound traffic to those addresses.
malware, iniate command-and-control • Set the external dynamic list Palo Alto
acvity, and launch aacks. Networks - Known malicious IP addresses
as the Desnaon address for the
Internet Gateway Best Pracce Security Policy Version Version 37 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
This rule protects you against IP addresses • One rule blocks outbound traffic to known
that Palo Alto Networks has shown to Bulletproof hosng IP addresses, while
belong to Bulletproof hosng providers. another rule blocks inbound traffic to those
addresses.
Bulletproof hosng providers have no or
very limited restricons on content and • Set the external dynamic list Palo Alto
don’t log events. This makes Bulletproof Networks - Bulletproof IP addresses as
sites ideal places from which to launch the Desnaon address for the outbound
command-and-control (C2) aacks and traffic rule, and as the Source address for
illegal acvity because anything goes and the inbound traffic rule.
nothing is tracked. • Deny traffic that match these rules.
• Enable logging for traffic matching these
rules so that you can invesgate potenal
threats on your network.
Internet Gateway Best Pracce Security Policy Version Version 38 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
STEP 3 | Block and log traffic to and from high-risk IP addresses from trusted threat advisories.
Although Palo Alto Networks has no direct • One rule logs blocked outbound traffic to
evidence of the maliciousness of the IP high-risk IP addresses and another rule logs
addresses in the high-risk IP address feed, blocked inbound traffic to those addresses.
threat advisories have linked them to • Set the external dynamic list Palo Alto
malicious behavior. Networks - High risk IP addresses as the
Block and log the traffic as shown in this Desnaon address for the outbound
example. traffic rule and as the Source address for
the inbound traffic rule.
If you must allow a high-risk IP address for
business reasons, create a Security policy • If you allow the traffic, apply best pracce
rule that allows only that IP address and Security profiles.
place it in front of the high-risk IP address • Because this rule is intended to block
block rule in the rulebase. Closely monitor malicious traffic, it matches traffic to and
and log any high-risk IP addresses that you from any user, running on any port, and for
choose to allow. any applicaon.
STEP 4 | (MineMeld users only) Block traffic from inbound IP addresses that trusted third-party feeds
have idenfied as malicious.
Internet Gateway Best Pracce Security Policy Version Version 39 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
When creang the applicaon allow rules, make sure to place more specific rules above more
general rules. For example, the rules for all of your sanconed and infrastructure applicaons
would come before the rules that allow general access to certain types of business and personal
Internet Gateway Best Pracce Security Policy Version Version 40 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
applicaons. This first part of the rulebase includes the allow rules for the applicaons you
idenfied as part of your applicaon allow list:
• Sanconed applicaons you provision and administer for business and infrastructure purposes
• General business applicaons that your users may need to use in order to get their jobs done
• General applicaons you may choose to allow for personal use
Tag all sanconed applicaons with the predefined Sanconed tag. Panorama and
firewalls consider applicaons without the Sanconed tag as unsanconed applicaons.
Every applicaon allow rule also requires that you aach the best pracce security profiles to
ensure that you are scanning all allowed traffic for known and unknown threats. If you have not
yet created these profiles, then Create Best Pracce Security Profiles for the Internet Gateway.
And, because you can’t inspect what you can’t see, you must also make sure you have configured
the firewall to Decrypt Traffic for Full Visibility and Threat Inspecon.
STEP 1 | Allow access to your corporate DNS servers.
Access to DNS is required to provide • Because this rule is very specific, place it at
network infrastructure services, but it is the top of the rulebase.
commonly exploited by aackers. • Create an address object to use for the
Allowing access only on your internal DNS desnaon address to ensure that users
server reduces your aack surface. only access the DNS server in your data
center.
• Because users will need access to these
services before they are logged in, you
must allow access to any user.
Enable the applicaons that provide your • Because these applicaons run on the
network infrastructure and management default port, allow access to any user (users
funcons, such as NTP, OCSP, STUN, and may not yet be a known-user because of
ping. when these services are needed), and all
While DNS traffic allowed in the preceding have a desnaon address of any, contain
rule is restricted to the desnaon address them in a single applicaon group and
in the data center, these applicaons create a single rule to enable access to all
of them.
Internet Gateway Best Pracce Security Policy Version Version 41 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
With SaaS applicaons, your proprietary • Create an applicaon group to group all
data is in the cloud. This rule ensures that sanconed SaaS applicaons.
only your known users have access to • SaaS applicaons should always run on the
these applicaons (and the underlying applicaon default port.
data).
• Restrict access to your known users. See
Scan allowed SaaS traffic for threats. Create User Groups for Access to Allowed
Applicaons.
Internet Gateway Best Pracce Security Policy Version Version 42 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
To reduce your aack surface, Create User • This rule restricts access to users in the
Groups for Access to Allowed Applicaons. IT_admins group.
Because administrators oen need access • Create a custom applicaon for each
to sensive account data and remote internal applicaon or applicaon that
access to other systems (for example runs on non-standard ports so that you
RDP), you can greatly reduce your aack can enforce them on their default ports
surface by only allowing access to the rather than opening addional ports on
administrators who have a business need. your network.
• If you have different user groups for
different applicaons, create separate rules
for granular control.
Beyond the applicaons you sancon for • Restrict access to your known users. See
use and administer for your users, there Create User Groups for Access to Allowed
are a variety of applicaons that users may Applicaons.
commonly use for business purposes, for • For visibility, Create an applicaon filter for
example to interact with partners, such as each type of applicaon you want to allow.
WebEx, Adobe online services, or Evernote,
but which you may not officially sancon. • Aach the best pracce security profiles to
ensure that all traffic is free of known and
Because malware oen sneaks in with unknown threats. See Create Best Pracce
legimate web-based applicaons, this rule Security Profiles for the Internet Gateway.
allows you to safely allow web browsing
while sll scanning for threats. See Create
Internet Gateway Best Pracce Security Policy Version Version 43 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
As the lines blur between work and • Restrict access to your known users. See
personal devices, you want to ensure that Create User Groups for Access to Allowed
all applicaons your users access are safely Applicaons.
enabled and free of threats. • For visibility, create an applicaon filter for
By using applicaon filters, you can safely each type of applicaon you want to allow.
enable access to personal applicaons • Scan all traffic for threats by aaching your
when you create this inial rulebase. Aer best pracce security profile group. See
you assess what applicaons are in use, Create Best Pracce Security Profiles for
you can use the informaon to decide the Internet Gateway.
whether to remove the filter and allow a
smaller subset of personal applicaons
appropriate for your acceptable use
policies.
While the previous rule allowed access • Use the same best pracce security profiles
to personal applicaons (many of them as the other rules, except the Best Pracce
browser-based), this rule allows general Internet Gateway File Blocking Profile
web browsing. profile, which is more stringent because
General web browsing is more risk-prone general web browsing traffic is more
than other types of applicaon traffic. You vulnerable to threats, and the URL Filtering
must Create Best Pracce Security Profiles profile, which you should ghten as much
for the Internet Gateway and aach them as possible.
to this rule in order to safely enable web • Allow only known users, to prevent devices
browsing. with malware or embedded devices from
reaching the internet.
Internet Gateway Best Pracce Security Policy Version Version 44 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Each of the tuning rules you will define in Step 4: Create the Temporary Tuning Rules are
designed to idenfy a specific gap in your inial policy. Therefore some of these rules will
need to go above the applicaon block rules and some will need to go aer.
Chrome and some other browsers establish • Before you create the policy rules, you
sessions using QUIC instead of TLS, but must first create a Service (Objects >
QUIC uses proprietary encrypon that Services) that specifies UDP ports 80 and
the firewall can’t decrypt, so potenally 443.
dangerous encrypted traffic may enter the • The first rule blocks QUIC on its UDP
network. service ports (80 and 443) and uses the
Blocking QUIC forces the browser to fall Service you created to specify those ports.
back to TLS and enables the firewall to • The second rule blocks the QUIC
decrypt the traffic. applicaon.
Internet Gateway Best Pracce Security Policy Version Version 45 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Noce that the Service specifies the UDP ports to block for QUIC in the first rule:
Block nefarious applicaons such as • Use the Drop Acon to silently drop the
encrypted tunnels and peer-to-peer file traffic without sending a signal to the client
sharing, as well as web-based file sharing or the server.
applicaons that are not IT sanconed. • Enable logging for traffic matching this
Because the tuning rules that follow are rule so that you can invesgate misuse of
designed to allow traffic with malicious applicaons and potenal threats on your
intent or legimate traffic that is not network.
matching your policy rules as expected, • Because this rule is intended to catch
these rules could also allow risky or malicious traffic, it matches to traffic from
malicious traffic into your network. This any user running on any port.
rule prevents that by blocking traffic that
has no legimate use case and that could
be used by an aacker or a negligent user.
Block public DNS/SMTP applicaons to • Use the Reset both client and server
avoid DNS tunneling, command and control Acon to send a TCP reset message
traffic, and remote administraon. to both the client-side and server-side
devices.
Internet Gateway Best Pracce Security Policy Version Version 46 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Some of the temporary tuning rules must go above the rules to block bad applicaons
and some must go aer to ensure that targeted traffic hits the appropriate rule, while sll
ensuring that bad traffic is not allowed onto your network.
STEP 1 | Allow web-browsing and SSL on non-standard ports for known users to determine if there
are any legimate applicaons running on non-standard ports.
This rule helps you determine if you have • Unlike the allow rules that allow
any gaps in your policy where users are applicaons on the default port only, this
unable to access legimate applicaons rule allows web-browsing and SSL traffic
because they are running on non-standard on any port so that you can find gaps in
ports. your allow list.
You must monitor all traffic that matches • Because this rule is intended to find gaps
this rule. For any traffic that is legimate, in policy, limit it to known users on your
you should tune the appropriate allow rule network. See Create User Groups for
to include the applicaon, and creang a Access to Allowed Applicaons.
custom applicaon where appropriate. • Make sure you also explicitly allow SSL as
an applicaon here if you want to allow
users to be able to browse to HTTPS sites
that aren’t decrypted (such as financial
services and healthcare sites).
Internet Gateway Best Pracce Security Policy Version Version 47 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
STEP 2 | Allow web-browsing and SSL traffic on non-standard ports from unknown users to highlight
all unknown users regardless of port.
This rule helps you determine whether you • While the majority of the applicaon allow
have gaps in your User-ID coverage. rules apply to known users or specific user
This rule also helps you idenfy groups, this rule explicitly matches traffic
compromised or embedded devices that from unknown users.
are trying to reach the internet. • This rule must go above the applicaon
It is important to block non-standard port block rules or traffic will never hit it.
usage, even for web-browsing traffic, • Because it is an allow rule, you must aach
because it is usually an evasion technique. the best pracce security profiles to scan
for threats.
STEP 3 | Allow all applicaons on the applicaon-default port to idenfy unexpected applicaons.
This rule provides visibility into applicaons • Because this rule allows all applicaons,
that you weren’t aware were running on you must add it aer the applicaon block
your network so that you can fine-tune rules to prevent bad applicaons from
your applicaon allow list. running on your network.
Monitor all traffic matching this rule to • If you are running PAN-OS 7.0.x
determine whether it represents a potenal or earlier, to appropriately idenfy
threat, or whether you need to modify unexpected applicaons, you must create
your allow rules to enable access to more an applicaon filterthat includes all
applicaons. applicaons, instead of seng the rule to
allow any applicaon.
Internet Gateway Best Pracce Security Policy Version Version 48 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
STEP 4 | Allow any applicaon on any port to idenfy applicaons running where they shouldn’t be.
This rule helps you idenfy legimate, • Because this is a very general rule that
known applicaons running on unknown allows any applicaon from any user on
ports. any port, it must come at the end of your
This rule also helps you idenfy unknown rulebase.
applicaons for which you need to create • Enable logging for traffic matching this rule
a custom applicaon to add to your so that you can invesgate for misuse of
applicaon allow rules. applicaons and potenal threats on your
Any traffic matching this rule is aconable network or idenfy legimate applicaons
and requires that you track down the that require a custom applicaon.
source of the traffic and ensure that you
are not allowing any unknown tcp, udp or
non-syn-tcp traffic.
Step 5: Enable Logging for Traffic that Doesn’t Match Any Rules
Traffic that does not match any of the rules you defined will match the predefined interzone-
default rule at the boom of the rulebase and be denied. For visibility into the traffic that is not
matching any of the rules you created, enable logging on the interzone-default rule:
STEP 1 | Select the interzone-default row in the rulebase and click Override to enable eding on this
rule.
STEP 2 | Select the interzone-default rule name to open the rule for eding.
STEP 3 | On the Acons tab, select Log at Session End and click OK.
STEP 4 | Create a custom report to monitor traffic that hits this rule.
1. Select Monitor > Manage Custom Reports.
2. Add a report and give it a descripve Name.
3. Set the Database to Traffic Summary.
4. Select the Scheduled check box.
5. Add the following to the Selected Columns list: Rule, Applicaon, Bytes, Sessions.
6. Set the desired Time Frame, Sort By and Group By fields.
7. Define the query to match traffic hing the interzone-default rule:
(rule eq 'interzone-default')
Internet Gateway Best Pracce Security Policy Version Version 49 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Because new App-IDs are added in weekly content releases, you should review the
impact App-ID changes have on your policy.
STEP 1 | Create custom reports that let you monitor traffic that hits the rules designed to idenfy
policy gaps.
1. Select Monitor > Manage Custom Reports.
2. Add a report and give it a descripve Name that indicates the parcular policy gap you
are invesgang, such as Best Pracce Policy Tuning.
3. Set the Database to Traffic Summary.
4. Select the Scheduled check box.
5. Add the following to the Selected Columns list: Rule, Applicaon, Bytes, Sessions.
6. Set the desired Time Frame, Sort By and Group By fields.
7. Define the query to match traffic hing the rules designed to find policy gaps and
alarming behavior. You can create a single report that details traffic hing any of the
rules (using the or operator), or create individual reports to monitor each rule. Using the
rule names defined in the example policy, you would enter the corresponding queries:
• (rule eq 'Unexpected Port SSL and Web')
• (rule eq 'Unknown User SSL and Web')
• (rule eq 'Unexpected Traffic')
• (rule eq 'Unexpected Port Usage')
Internet Gateway Best Pracce Security Policy Version Version 50 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
STEP 2 | Review the report regularly to make sure you understand why traffic is hing each of
the best pracce policy tuning rules and either update your policy to include legimate
applicaons and users or use the informaon in the report to assess the risk of that
applicaon usage and implement policy reforms.
Internet Gateway Best Pracce Security Policy Version Version 51 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
Internet Gateway Best Pracce Security Policy Version Version 52 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
On Panorama or an individual firewall, use the policy rule hit counter to analyze changes
to the rulebase. For example, when you add a new applicaon, before you allow that
applicaon’s traffic on the network, add the allow rule to the rulebase. If traffic hits the
rule and increments the counter, it indicates traffic that matches the rule may already
be on the network even though you haven’t acvated the applicaon, or that you may
need to tune the rule. Follow up by checking the ACC > Threat Acvity > Applicaons
Using Non Standard Ports and the ACC > Threat Acvity > Rules Allowing Apps On Non
Standard Ports widgets to see if traffic on non-standard ports caused the unexpected rule
hits.
The key to using the policy rule hit counter is to reset the counter when you make a
change, such as introducing a new applicaon or changing a rule’s meaning. Reseng
the hit counter ensures that you see the result of the change, not results that include the
change and events that happened before the change.
If you use Panorama to manage firewalls, you can monitor firewall health to compare
devices to their baseline performance and to each other to idenfy deviaons from normal
behavior.
Palo Alto Networks sends content updates that you should download automacally and schedule
for installaon on firewalls as soon as possible. Most content updates contain updates to threat
content (anvirus, vulnerabilies, an-spyware, etc.) and may contain modified App-IDs. On the
third Tuesday of each month, the content update also contains new App-IDs. You can set separate
thresholds to delay installing regular content updates and to delay installing the once-a-month
update that contains new App-IDs for a specified period of me aer the download. Delaying
installaon enables you to install content updates that don’t include new App-IDs as quickly as
possible to get the latest threat signatures, while also providing more me to examine new App-
IDs before installing them.
The content updates on the third Tuesday of each month that contain new App-IDs may cause
changes in Security policy enforcement. Before you install new or modified App-IDs, review the
policy impact, stage updates to test impact, and modify exisng Security policy rules if necessary.
The most efficient way to control downloading and installing content updates on firewalls is
loading them on and pushing them from Panorama if you use Panorama.
Follow the general content update best pracces, but keep in mind that on internet gateways,
security is crical because any traffic could aempt to gain entrance to your network from the
internet, so you want to roll out content updates as fast as possible:
• Quickly test content updates in a safe area of the network before you install them on an
internet gateway.
Internet Gateway Best Pracce Security Policy Version Version 53 ©2022 Palo Alto Networks, Inc.
10.1
Best Pracce Internet Gateway Security Policy
• For content updates that don’t contain new App-IDs, set the installaon threshold to no more
than two hours aer the automac download and conduct tesng within that period.
• For content updates that contain new App-IDs, set the installaon threshold no more than
eight hours aer the automac download and conduct tesng within that period.
• Configure Log Forwarding for all content updates.
STEP 1 | Before installing a new content update, review new and modified App-IDs to determine if
there is policy impact.
STEP 2 | If necessary, modify exisng Security policy rules to accommodate the App-ID changes. You
can disable selected App-IDs if some App-IDs require more tesng and install the rest of
the new App-IDs. Finish tesng and any necessary policy revisions before the next monthly
content release with new App-IDs arrives (third Tuesday of each month) to avoid overlap.
STEP 3 | Prepare policy updates to account for App-ID changes included in a content release or to add
new sanconed applicaons to or remove applicaons from your allow rules.
Internet Gateway Best Pracce Security Policy Version Version 54 ©2022 Palo Alto Networks, Inc.
10.1