Creating Network Firewall Policy Components
Components in a network firewall policy help you build security and decryption rules. When the policy is associated with a firewall, the firewall uses the rules to process network traffic.
This topic describes the different types of component resources that you can create in a policy. First you create lists, secrets, and decryption profiles, and then you use them to build rules for a policy. Each policy's component resources can be used only within that policy. To use a component resource in a different policy, you must re-create the component resource in that policy.
Some names are reserved by Palo Alto Networks®. If you create a policy component with a reserved name, the process fails with an error. See Reserved Names
- The firewall evaluates the decryption rules in priority list order.
- When a decryption rule matches the packet information, the firewall applies the specified rule action.
- When a rule action is applied, the firewall doesn't evaluate any further decryption rules.
- If the packet information doesn't match any decryption rules, the firewall doesn't decrypt the packet.
- The firewall evaluates the security rules in priority list order.
- When a security rule matches the packet information, the firewall applies the specified rule action.
- When a rule action is applied, the firewall doesn't evaluate any further security rules.
- If the packet information doesn't match any security rules, the firewall drops the packet.
- Rules are optional, but if the policy that you use with a firewall doesn't have at least one rule specified, the firewall denies all network traffic.
- By default, each new rule that you create becomes the first in the priority list. You can change the priority order at any time.
Lists
Lists are building blocks that let you group applications, services, URLs, or addresses for use in a rule.
All items in a list are treated the same way when they're used in a rule. For example, to create a rule that denies access to known malicious URLs, you can create a URL list called Malicious URLs. Then, you can create a rule that denies access to the entire list as a group.
To include any item in a rule, it must first be added to a list. The list can then be referenced in a rule. You can create a list that contains a single item.
Applications and Application Lists
Create applications and application lists to allow or deny traffic to a group of applications.
An application is defined by a signature based on the protocols that it uses. Layer 7 inspection is used to identify matching applications.
The following parameters are used to define an application:
- Name: A unique name you define for the application
- Protocol: ICMP, or ICMPv6
- ICMP or ICMPv6 Type: For example, 0-Echo reply, 3-Destination unreachable, 5-Redirect, 8-Echo
- ICMP or ICMPv6 Code: For example, 0-Net unreachable, 1-Host unreachable, 2-Protocol unreachable, 3-Port unreachable
For more information about ICMP types and codes, see Internet Control Message Protocol (ICMP) Parameters.
- Maximum number of application lists for each policy: 2,500
- Maximum number of applications in a single list: 200
- Maximum total number of applications for a policy: 6,000
You can create applications and application lists one at a time, or you can import many at the same time using a JSON file. See Bulk Importing Network Firewall Policy Components.
After you create applications, you can add them to an application list in the policy. You can't add applications from one policy to a list in a different policy. The application must be created within each policy you want to use it in.
Application and Application List Tasks
Services and Service Lists
Create services and service lists to allow or deny traffic to a group of services. A service is identified by a signature based on the ports that it uses. Layer 4 inspection is used to identify matching services.
- Name: A unique name that you define for the service.
- Protocol: TCP or UDP.
- Port range:A port number or range, for example, "1433," "80-8080," or "22-22." Each service can contain a maximum of 10 port ranges.
- Maximum number of service lists for each policy: 2,000
- Maximum number of services in a single list: 200
- Maximum total number of services for a policy: 1,900
You can create services and service lists one at a time, or you can import many at the same time by using a JSON file. See Bulk Importing Network Firewall Policy Components.
After you create services, you can add them to a service list in the policy. You can't add services from one policy to a list in a different policy. The service must be created within each policy you want to use it in.
Service and Service List Tasks
URL Lists
Create URL lists to allow or deny traffic to a group of URLs. You can create up to 1,000 URL lists in a policy. Each list can contain a maximum of 1,000 URLs. Each URL is entered on its own line in the list. You can use wildcards such as asterisks (*) and caret (^) in a URL to customize matching. Don't enter protocol information such as http:// or https://.
-
An asterisk (*) wildcard indicates one or more variable subdomains. The entry matches any other subdomains at the beginning or end of the URL. For example:
*.example.com matches www.example.com, www.docs.example.com, and www.example.com.ua.
*.example.com/ matches www.example.com and www.docs.example.com but not www.example.com.ua.
- A caret (^) wildcard indicates a single variable subdomain. For example, mail.^.com matches mail.example.com but not mail.example.sso.com.
See also Examples of using wildcards in URL filtering profiles.
www.example.com
production1.example.com
production2.example.com
www.example.net
www.example.biz
[1080:0:0:0:8:800:200C:417A]:8080/index.html
1080:0:0:0:8:800:200C:417A/index.html
*.example.com- Maximum number of URL lists for each policy: 1,000
- Maximum number of URLs in a single list: 1,000
- Maximum total number of URLs for a policy: 25,000
You can create URL lists one at a time, or you can import many at the same time by using a JSON file. See Bulk Importing Network Firewall Policy Components.
URL List Tasks
Address Lists
Create a list of addresses that you want to allow or deny access to. You can specify individual IPv4 or IPv6 IP addresses, or use CIDR blocks in an IP address list. Each address is entered on its own line in the list.
FQDN addresses are available only for specific use cases. To use FQDN addresses for address lists, Create a service request.
Here's an example of an IP address list:
10.0.0.0/16
10.1.0.0/24
10.2.0.0/24
10.3.0.0/24
10.4.0.0/24
10.5.0.0/24
2001:DB8::/32
2603:c020:0:6a00::/56
2603:c020:0:6aa1::/64Here's an example of an FQDN address list:
mymail.example1.edu
server.example.org
myhost.mydomain.net
database1.privatesubnet1.abccorpvcn1.oraclevcn.com
subneta.vcn1.oraclevcn.com- Maximum number of address lists for each policy: 20,000 IP address lists, 2,000 FQDN lists
- Maximum number of addresses in a single list: 1,000
Address List Tasks
Mapped Secrets and Decryption Profiles
If a policy uses decryption rules that use certificate authentication, you must set up mapped secrets and decryption profiles.
Mapped secrets are secrets that you create in Oracle Cloud Infrastructure (OCI) Vault and then map to inbound or outbound SSL keys. The secrets are used to decrypt and inspect SSL/TLS traffic with SSL Forward Proxy or SSL Inbound Inspection.
If you plan to use SSL forward proxy or SSL inbound inspection, set up an OCI vault and secrets beforeyou begin configuring a policy with rules. See Setting Up Certificate Authentication.
Decryption profiles control how SSL forward proxy and SSL inbound inspection perform session mode checks, server checks, and failure checks.
- Block expired certificate: Blocks sessions if the server's certificate is expired. This option prevents access to potentially insecure sites. If this option isn't selected, users can connect with and transact with potentially malicious sites and see warning messages when they try to connect, but the connection isn't prevented.
- Block untrusted issuer: Blocks sessions if the server's certificate is issued by an untrusted certificate authority (CA). An untrusted issuer might indicate a man-in-the-middle attack, a replay attack, or other attack.
- Block timeout certificate: Blocks sessions if the certificate status check times out. Certificate status checks use the Certificate Revocation List (CRL) on a revocation server or use Online Certificate Status Protocol (OCSP) to see if the CA that issued the certificate has revoked it. Revocation servers can be slow to respond, which can cause the session to time out, even if the certificate is valid.
- Block unsupported cipher: Blocks sessions if the SSL cipher suite specified in the SSL handshake isn't supported.
- Block unsupported version: Blocks sessions if the SSL version specified in the SSL handshake isn't supported.
- Block unknown certificate: Blocks sessions if the certificate status is returned as "unknown." Certificate status might be unknown for many reasons, so use this option in higher-security areas of the network instead of for general security.
- Restrict certificate extensions: Restricts extensions to key usage and extended key usage. Use this option only if deployment requires no other certificate extensions.
- Auto-include alternative name: Automatically appends a Subject Alternative Name (SAN) to the impersonation certificate if the server certificate is missing.
- Block if no resources: Blocks sessions if not enough processing resources are available. If you don't use this option, encrypted traffic enters the network still encrypted, risking potentially dangerous connections. Using this option might affect the user experience by making sites temporarily unreachable.
- Block sessions with unsupported versions: Blocks sessions that have a weak, unsupported version of SSL protocol.
- Block unsupported cipher: Blocks sessions if the SSL cipher suite specified in the SSL handshake isn't supported.
- Block if no resources: Blocks sessions if not enough processing resources are available. If you don't use this option, encrypted traffic enters the network still encrypted, risking potentially dangerous connections. Using this option might affect the user experience by making sites temporarily unreachable.
- Maximum number of mapped secrets for each policy: 300
- Maximum number of SSL inbound mapped secrets for each policy: 300
- Maximum number of SSL forward proxy mapped secrets for each policy: 1
- Maximum number of decryption profiles for each policy: 500
You can create mapped secrets and decryption profiles one at a time, or you can import many at the same time by using a JSON file. See Bulk Importing Network Firewall Policy Components.
Mapped Secrets and Decryption Profile Tasks
Rules
A rule is a set of criteria against which a network packet is matched. Rules are configured in a policy, and the policy is then associated with a firewall. The firewall then allows or denies traffic according to the rules in its associated policy.
- Decryption rules are always applied before security rules.
- Decryption rules and security rules are applied using a priority order that you can define
Decryption Rules
Decryption rules decrypt traffic from a specified source, destination, or both. The specified source and destination match condition for the traffic consists of address lists that you configure in the policy before you construct the rule.
When the specified source and destination match condition is met, the firewall takes the rule action. You can choose to take the following actions:
- Decrypt traffic with SSL forward proxy
- Decrypt traffic with SSL inbound inspection
- Don't decrypt traffic.
If you choose to decrypt, you then choose a decryption profile and mapped secret to apply when decrypting traffic. You configure decryption profiles and mapped secrets in the policy before you construct the rule. By default, the priority order of decryption rules is their order of creation. You can change the priority order.
- Maximum number of decryption rules for each policy: 1,000
You can create decryption rules one at a time, or you can import many at once using a JSON file. See Bulk Importing Network Firewall Policy Components.
Decryption Rule Tasks
Security Rules
Firewalls use security rules to decide what network traffic is allowed or blocked. Each rule contains a set of criteria that packet information must match to apply the rule. This is called the rule match condition.
You can configure a security rule to match based on source and destination address, application, service, or URL. The specified source and destination match condition for the traffic consists of lists that you configure in the policy before you construct the rule.
If no match criteria are defined in the security rule (an empty list is specified for the rule), then the rule matches to wildcard ("any") criteria. This behavior applies to all traffic examined in the rule.
- Allow traffic: The traffic is allowed to proceed.
- Drop traffic: The traffic is dropped silently, and no notification of reset is sent.
- Reject traffic: The traffic is dropped and a reset notification is sent.
- Intrusion detection: The traffic is logged.
- Intrusion prevention: The traffic is blocked.
- Maximum number of security rules for each policy: 10,000
You can create security rules one at a time, or you can import many at the same time using a JSON file. See Bulk Importing Network Firewall Policy Components.