Palo Alto Security Policy Tutorial

This guide is split into two parts:

  1. Simplified Policy (functional setup)
  2. Hardened Policy (production best practice)

PART 1 — SIMPLIFIED POLICY

Goal

Allow:

  • Specific source
  • Specific destination (IP/FQDN)
  • Wildcard domain (via URL category)
  • Specific ports

Step 1: Address Objects

Objects > Addresses > Add

Source:

  • Name: SRC-App-Server
  • Type: IP Netmask
  • Value: 10.10.10.5

Destination:

  • Name: DST-App-FQDN
  • Type: FQDN
  • Value: api.example.com

Step 2: Wildcard Domain

Objects > Custom Objects > URL Category > Add

  • Name: Wildcard-App-Domain
  • Type: URL List
  • Entry: *.example.com

Step 3: Service Objects

Create:

  • TCP-3000
  • TCP-3306

Group them:

Objects > Service Groups > Add

  • Name: App-Ports

Step 4: Security Policy

Policies > Security > Add

General:

  • Name: Allow-App-Specific

Source:

  • Zone: Trust
  • Address: SRC-App-Server

Destination:

  • Zone: Untrust
  • Address: DST-App-FQDN

Application:

  • any OR specific apps

Service:

  • App-Ports

URL Category:

  • Wildcard-App-Domain

Action:

  • Allow

Logging:

  • Enable start and end logs

Step 5: Commit

Validation

test security-policy-match source <src-ip> destination <dst-ip> protocol 6 destination-port 3000

PART 2 — HARDENED BEST PRACTICE

Key Improvements

  • Enforce App-ID
  • Use application-default
  • Attach security profiles
  • Enable DNS sinkhole

Step 1: Address Group

Objects > Address Groups

  • Name: SRC-App-Group
  • Members: SRC-App-Server

Step 2: Service Strategy

Use:

  • application-default

Step 3: URL Category

Same as Part 1

Step 4: Security Profiles

Create:

Anti-Spyware:

  • Enable sinkhole

Vulnerability Protection:

  • Reset high/critical

Antivirus:

  • Enable all protocols

URL Filtering:

  • Allow wildcard domain
  • Block malicious categories

File Blocking:

  • Block executables and scripts

WildFire:

  • Forward unknown files

Step 5: Profile Group

Objects > Security Profile Groups

  • Name: Strict-Profile-Group
  • Add all profiles

Step 6: Hardened Policy

General:

  • Name: Allow-App-Hardened

Source:

  • Zone: Trust
  • Address: SRC-App-Group

Destination:

  • Zone: Untrust
  • Address: DST-App-FQDN

Application:

  • web-browsing
  • ssl
  • mysql

Service:

  • application-default

URL Category:

  • Wildcard-App-Domain

Profiles:

  • Strict-Profile-Group

Logging:

  • Enable all logs

Step 7: Zone Protection

Enable on Untrust:

  • SYN flood
  • UDP flood
  • ICMP flood

Step 8: Validation

show session all filter destination <dst-ip>

show log threat

Final Notes

  • Part 1 = connectivity
  • Part 2 = security

Do not deploy Part 1 alone in production.