Configuring Security Policies Tech Note
Revision C
©2012, Palo Alto Networks, Inc. www.paloaltonetworks.com
Contents Overview ................................................................................................................................................................................. 3 Security policy guidelines ......................................................................................................................................................... 3 Topology ................................................................................................................................................................................. 3 Case1: Security Policy using Application and Service “application-default”............................................................................. 3 Case2: Security Policy using Application and Service ANY ..................................................................................................... 4 Case3: Implications of deny all Security Policy ........................................................................................................................ 5 Revision History ...................................................................................................................................................................... 7
Revision C
©2012, Palo Alto Networks, Inc. www.paloaltonetworks.com
Overview Security policies determine whether to block or allow a new network session based on traffic attributes such as the source and destination security zones, the source and destination addresses, and the application and a service. This document explains the how the service definition works with application and the best practice for creating security policies.
Security policy guidelines Security policies on a PAN-OS firewall matches source, destination, application and a service. The application and service columns specify what applications can be identified on a defined set of ports, or on all available ports. The service column allows administrator to define one of the following 1. Application-default 2. Pre-defined service “service-http” and “service-https” 3. Any 4. Custom service Application-default The service application-default sets security policy to allow the application on the standard ports associated with the application. Pre-defined service service-http and service-https The pre-defined services use TCP ports 80 and 8080 for HTTP, and TCP port 443 for HTTPS. Use this is security policy if you want to restrict web browsing and HTTPS to these ports Any Predefined service any matches any TCP/UDP port. Use this service to deny applications. Custom Service Users can create their own definition of TCP/UDP port numbers to restrict applications usage to specific ports
Topology In this document we will refer to the topology shown below for discussing different scenarios of security policy configuration. The client also uses NMAP tool to scan the server for open ports.
Note: PAN-OS by default denies traffic that is not permitted by a security policy. The traffic that is denied is not logged by default. In the examples below, a security policy to deny and log traffic between any zones is created for illustration. Please refer to the section “mplications of deny all Security Policy” before creating security policy to deny traffic to and from any zones.
Case1: Security Policy using Application and Service “applicationdefault” Note: Using the service application default is the recommended practice for configuring security policy to allow the applications. Revision C
©2012, Palo Alto Networks, Inc. www.paloaltonetworks.com
In this example we want to allow web browsing to the server on the default port and all other traffic to be denied.
Because of the service “application-default” in the security policy, web browsing traffic on standard port matching this security policy will be allowed. All other traffic will match the DENY rule and be logged as not-applicable as shown.
Running NMAP scan on the server from the client shows the following services running on the server. admin@client:~$ nmap -T4 -F 15.0.3.101 Starting Nmap 5.21 ( http://nmap.org ) at 2012-07-09 15:29 PDT Nmap scan report for 15.0.3.101 Host is up (0.0024s latency). Not shown: 98 filtered ports PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 3.30 seconds
Case2: Security Policy using Application and Service ANY Note: Use the service any to block applications on all ports. In this example we create a policy to allow web-browsing with service any to demonstrate the behavior of the security policy. It is recommend to use, service application-default for all policy with allow action.
Because of the service definition of “any” in the security policy, web browsing on all ports is allowed by the security policy. When the client attempts to connect to the server using application other than web browsing, the traffic will be evaluated against the first policy until the application is identified. This will be first few packets from the client. Once the application is identified, and determined as non web browsing traffic, the deny policy will be enforced. If the client establishes a connection with server and does not send sufficient data to identify the application, the session will be logged as “incomplete” and the connection timeout set to default value- 3600 seconds for TCP and 60 seconds for
Revision C
©2012, Palo Alto Networks, Inc. www.paloaltonetworks.com
UDP.
Running a NMAP scan from the client shows the following services open on the server. admin@client:~$ nmap -T4 -F 15.0.3.101 Starting Nmap 5.21 ( http://nmap.org ) at 2012-07-09 15:33 PDT Nmap scan report for 15.0.3.101 Host is up (0.0019s latency). Not shown: 93 closed ports PORT STATE SERVICE 22/tcp open ssh 37/tcp filtered time 53/tcp filtered domain 80/tcp open http 111/tcp open rpcbind 515/tcp filtered printer 2049/tcp open nfs Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds The results from NMAP scan can be misinterpreted as the client was able connect to server using the above listed applications. It is important to note that the firewall logs show application incomplete. This is because the NMAP scan does not send any application data to the server instead probes the TCP port to see if it is open or close. If any application data was sent, this will result in application being identified and session denied by the deny rule.
Case3: Implications of deny all Security Policy Any traffic that is not allowed by a security policy is denied by the firewall. However the traffic that is denied is not logged by the firewall. admin@5060> show system setting logging Max. logging rate: Max. packet logging rate: Traffic log generation rate: Threat log generation rate: Log sent rate: Current traffic log count: Current threat log count: Random traffic log drop: Log suppression: default-policy-logging: Revision C
50000 2560 0 0 50000 0 0 off on off
cnt/s KB/s cnt/s cnt/s cnt/s
©2012, Palo Alto Networks, Inc. www.paloaltonetworks.com
In order to view the traffic that is denied by the firewall, you will have to create a security policy to deny traffic as shown below.
It is very important to note that by creating a deny all policy all intra zone traffic, and traffic to firewall itself like IPSec, GlobalProtect, Management traffic using the data plane interfaces will denied. The out-of-band management interface traffic is not subject to security policy evaluation Before creating a deny all security you must create security policies o To allow intra zone traffic o To allow traffic to the firewall- IKE, IPSec, Global Protect An example of modified security policy is shown below.
Revision C
©2012, Palo Alto Networks, Inc. www.paloaltonetworks.com
Revision History Date March 11, 2013
Revision C
December 5, 2012 July 30, 2012
B A
Revision C
Comment Updated screenshot for CLI Case 3. Also removed reference to 4.1, since this tech note can be used for any version of PAN-OS. Updated with deny all policy First release of document
©2012, Palo Alto Networks, Inc. www.paloaltonetworks.com
