6-Security and NAT Policies

SECURITY AND NAT GET TRAFFIC FLOWING
POLICIES
• Security policy fundamental concepts
• Security policy administration
• Network address translation
• Source NAT configuration
• Destination NAT configuration
EDU-210 Version A
PAN-OS® 9.0
Agenda
Now that you have completed this module,
you should be able to:
• Display and manage Security policy rules

• Describe the differences between implicit and explicit rules
• Create a Security policy
• Describe the differences between source and destination NAT
• Configure source NAT
• Configure destination NAT port forwarding
2 | © 2019 Palo Alto Networks, Inc.

Flow Logic of the Next-Generation Firewall
Session Setup
Does
traffic match Zone Forwarding Destination Security
Source Assign
to an existing No Zone
and/or DoS Lookup Zone Policy Check
Session ID
session? Protection (PBF) (plus DNAT (App-ID
check) ignored)
Yes
Inspection and Enforcement
App-ID Encrypted? Security Policy*
Forward
INSPECTION Yes No ENFORCEMENT Traffic
Decrypt
Content-ID Policy? Security Profiles
Yes (Re-encrypt if decrypted)
* Policy check relies on pre-NAT IP addresses

Security policy fundamental concepts
Security policy administration
Network address translation
Source NAT configuration
Destination NAT configuration

Controlling Network Traffic
 Multiple match criteria available to control network traffic
Network packets
Match and allow
Match and block
Basic Criteria More Granular Criteria

 Source zone  Source address
 Destination zone  Destination address
 Port
Fields in Security
 Application
 URL category policy rules
Firewall  Source user
Data Plane  HIP Profile

Sessions and Flows
Session
c2s flow – must enable using rule
Traffic Traffic
initiator responder
(client) (server)
s2c flow – return traffic allowed
• A packet is matched to a session; each session is matched to a Security policy rule.

• A session can consist of one or two flows:
• Single flow example: multicast traffic
• Two flow example: TCP traffic
• Server definition for a firewall is different from server definition for hosts:
• Traffic responder versus providing a service

Displaying and Managing Security Policy Rules
Policies > Security
• Display and manage Security policy rules using the web interface
• Click any column header to change the number of displayed
columns:
• Customized per user
• The list order matches the column order displayed in the web
interface.

Security Policy Rule Types
• Three rule types
• Specifies whether a rule applies to traffic within a zone, between zones, or both
Source Zones Destination Zones

ZoneA ---------
intrazone
ZoneB ---------
ZoneA ZoneA
interzone
ZoneB ZoneB
ZoneA ZoneA
universal
ZoneB ZoneB
Implicit and Explicit Rules
• By default the firewall implicitly allows intrazone and denies interzone traffic.
• Create explicit rules to control all other traffic
Implicit rules; by
Explicit rule; by default traffic is
default traffic is not logged.
logged.

Security Policy Rule Match
• Rules evaluated from top to bottom
• Further rules not evaluated after a rule match
• Could Rule A and Rule B be combined? Yes.

• Place Inside and Guest together in source zone
• Outside remains in destination zone

Policy Rule Hit Count
• Identify rules that are frequently or seldom used
• Determine the first time and last time a rule was used
• View number of applications seen by a rule

Timestamp of first policy
• Can be used to verify config changes rule match and last policy
rule match
Number of applications
seen by this rule

Rule Shadowing
• Traffic can match multiple rules.
• Earlier rule hides (casts a shadow over) later rule.
• Reorder or refine rules to remove shadowing.


Creating Security Policy Rules: General Tab
Policies > Security > Add Usage tab

appears after
policy rule is
created.
Optional, for easier

visual identification
and web interface
filtering
Add audit comment listing

what was added, when,
and by whom
View the audit comments,

configuration logs, and
rule change history
Creating Security Policy Rules: Source Tab
Default is Any; can add

multiple addresses,
address groups, or
geographical regions.

Creating Security Policy Rules: User Tab
• The User-ID feature is mandatory to use source user as a match criterion.
Default is any; can

add multiple users
or user groups.

Creating Security Policy Rules: Destination Tab
Default is Any; can add

multiple addresses,
address groups, or
geographical regions.

Creating Security Policy Rules: Application Tab
Default is Any; can

add multiple
applications.

Creating Security Policy Rules: Service/URL Category Tab
Default is application- Default is Any; can

default; can add one add multiple URL
or more services. categories.

Creating Security Policy Rules: Actions Settings
Optional; add
session start for
troubleshooting.
Available with
Can schedule
“drop” and all
when the rule is
“reset” actions
active.

Creating Security Policy Rules: Usage Settings
When rule was

created and last
updated Number of
applications seen
by this rule
Provides tools to
migrate from
port-based rules
Traffic over the

Displays Hit past 30 days
Count data

Scheduling Security Policy Rules
Objects > Schedules > Add
• Policy rules may

be enforced on
only specific days
and time periods.
Create a schedule
• Use 24-hour time with one or more
format start and end times.
• Can specify:
• Daily Policies > Security > <select_rule> > Actions
• Days of week
Apply
• Calendar days schedule
to a rule.

Managing the Policy Ruleset
Policies > Security
Line numbers do
not move when a Disabled rules
rule moves. display in italics.
• Add, Delete, Clone, Override, Revert, Enable, Disable, Move options

• Rules can be re-ordered to match requirements (use Move or drag-and-drop).
• Disablement of a rule allows you to retain the entry while making it non-operative.
Universally Unique Identifiers (UUIDs)
Policies > Security
• Creates a unique identifier for every Security policy rule

• Provides a complete history of a Security policy rule, even if the rule name is changed
• Must add column to display UUIDs
Finding Unused Security Policy Rules
• Remove unused rules to:
• Increase firewall operational efficiency
• Simplify rule management
• Firewall tracks rules unused since last time the data plane restarted.
Policies > Security
Rules highlighted

Rule Usage Filter
Policies > Policy Optimizer > Rule Usage

Address Objects
• Represents one or more IP addresses
• Used in policy rule source and destination address fields
Objects > Addresses > Add
Use new
Address object.

Tags
Objects > Tags > Add

• Use tags to visually search or
use tag filters to find objects.
• Rules and objects can have
multiple tags.
Filter for tag.
Assign tag.
Look for tag color.
Assign rule
to tag
group.
Tag-Based Rule Groups
• Visually groups rules based on tagging structure
• Can perform operational procedures within the selected tag group
Policies > Security
Maintains rule
priority

Creating a New Service Definition
• Service definitions are Objects > Services > Add

assigned ports.
• Services limit ports that
applications can use.
• service-http and service-
https are the only
predefined services.
Use new
service.

Using Global Find
• Search candidate
configuration and content
databases for occurrences
of a string
• Launch from Search or
Context menu
SMTP string found;
click link(s) to open
in web interface.

Enabling Intrazone and Interzone Logging
Policies > Security > <select_default_rule>
• Traffic matching default rules normally is not
logged.
• Could log for visibility and troubleshooting
purposes

Rule Changes Archive
Displays audit Compare changes
comment history between configuration
versions.
Displays
configuration logs

Test Policy Functionality
Policies > Security
Test
criteria Policy
matched
Policy
details

Viewing the Traffic Log
Monitor > Logs > Traffic
View • Each Security policy rule

details can log the start and/or
end of each session.
• Default is to log session
end.
• Temporarily add session
start for troubleshooting


Flow Logic of the Next-Generation Firewall
Session Setup
Does
traffic match Zone Forwarding Destination Security
Source Assign
to an existing No Zone
and/or DoS Lookup Zone Policy Check
Session ID
session? Protection (PBF) (plus DNAT (App-ID
check) ignored)
Yes
Inspection and Enforcement
App-ID Encrypted? Security Policy*
Forward
INSPECTION Yes No ENFORCEMENT Traffic
Decrypt
Content-ID Policy? Security Profiles
Yes (Re-encrypt if decrypted)
* Policy check relies on pre-NAT IP addresses

NAT Types
• Source NAT commonly is used for private (internal) users to access
the public internet (outbound traffic).
• Destination NAT often is used to provide hosts on the public (external) network
access to private (internal) servers.
Internet
Source NAT
Outside
Inside
DMZ
Destination NAT
Web server

Source NAT
• Source NAT translates an original source IP address to an alternate source IP
address.
Internet
Outside
Inside
198.51.100.22
192.168.15.47 203.0.113.38
DMZ
Before: After:
Source Destination Source Destination
192.168.15.47 203.0.113.38 198.51.100.22 203.0.113.38
Inside Outside Outside Outside

Source NAT Types
• Static IP:
• 1-to-1 fixed translations
• Changes the source IP address while leaving the source port unchanged
• Supports the implicit bidirectional rule feature
• Dynamic IP:
• 1-to-1 translations of a source IP address only (no port number)
• Private source address translates to the next available address in the range
• Dynamic IP and port (DIPP):

• Allows multiple clients to use the same public IP addresses with different source port
numbers.
• The assigned address can be set to the interface address or to a translated address.

Source NAT and Security Policies
192.168.15.47 Outside
Inside Internet
e1/1 e1/4 203.0.113.38
Policies > NAT
198.51.100.22
Pre-NAT zones Pre-NAT addresses

Policies > Security
Pre-NAT address Post-NAT zone Pre-NAT address

Configuring Source NAT
Match Criteria
Translation

Source NAT Examples
Static 1:1 Translation

Policies > NAT
Dynamic IP Translation
Policies > NAT

Source NAT Examples (Cont.)
Dynamic IP and Port Translation

Policies > NAT

Configuring Bidirectional Source NAT
• Enables internal servers to send and receive traffic through the firewall
• Available only for static NAT
Policies > NAT

DIPP NAT Oversubscription
• The same translated IP address and port pair can be used multiple times in
concurrent sessions:
• Assumes that hosts are connecting to different destinations
Device > Setup > Session > Session Settings
Internal Firewall Destination

Source Port Source Port Address
26435 25661 51.6.33.12
35435 25661 161.8.55.4
21569 25661 201.55.45.1
51043 25661 17.39.25.6
Concurrent sessions = oversubscription rate (8/4/2) x address pool size

Destination NAT
• Destination NAT translates an original destination IP

address to an alternate destination IP address. Internet
198.51.100.22
Outside 203.0.113.38
Inside
DMZ
Before: After:
Source Destination Source Destination
203.0.113.38 198.51.100.22 203.0.113.38 192.168.16.2
www.example.com
Outside Outside Outside DMZ
192.168.16.2

Destination NAT Attributes
• Static IP:
• 1-to-1 fixed translations
• Changes the destination IP address while leaving the destination port unchanged
• Also enabled by Static Source NAT with the Bi-directional option set
Policies > NAT > Add

Dynamic IP Address Support for Destination NAT
• Translates original IP address to destination host with a DHCP-assigned IP address
• Translated address can be an FQDN, address object, or address group.
Policies > NAT > Add

Set translation type to
Dynamic IP.

Destination NAT and Security Policies
Outside Internet
DMZ e1/4
198.51.100.22 203.0.113.38
www.example.com
192.168.16.2
Policies > NAT
Pre-NAT zones Pre-NAT address

Policies > Security
Pre-NAT addresses Post-NAT zone Pre-NAT addresses

Configuring Destination NAT
Match Criteria
Translation

Destination NAT Port Translation Configuration
Policies > NAT
Used when the destination server is “listening”

on a port other than the “well-known” port

Module Summary
Now that you have completed this module,
you should be able to:
• Display and manage Security policy rules

• Describe the differences between implicit and explicit rules
• Create a Security policy
• Describe the differences between source and destination NAT
• Configure source NAT
• Configure destination NAT port forwarding

Questions?
Q
Q &&
AA
Security Policy Lab (Pages 43-64 in the Lab Guide)
• Load a firewall lab configuration file
• Create tags
• Create source and destination NAT rules
• Create Security policy rules

PROTECTION. DELIVERED.

6-Security and NAT Policies

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

6-Security and NAT Policies

Uploaded by

Copyright:

Available Formats

SECURITY AND NAT GET TRAFFIC FLOWING

• Display and manage Security policy rules

2 | © 2019 Palo Alto Networks, Inc.

Inspection and Enforcement

App-ID Encrypted? Security Policy*

* Policy check relies on pre-NAT IP addresses

Security policy administration

Network address translation

Source NAT configuration

Destination NAT configuration

4 | © 2019 Palo Alto Networks, Inc.

 Multiple match criteria available to control network traffic

Basic Criteria More Granular Criteria

5 | © 2019 Palo Alto Networks, Inc.

• A packet is matched to a session; each session is matched to a Security policy rule.

6 | © 2019 Palo Alto Networks, Inc.

7 | © 2019 Palo Alto Networks, Inc.

Source Zones Destination Zones

9 | © 2019 Palo Alto Networks, Inc.

• Could Rule A and Rule B be combined? Yes.

10 | © 2019 Palo Alto Networks, Inc.

• View number of applications seen by a rule

11 | © 2019 Palo Alto Networks, Inc.

12 | © 2019 Palo Alto Networks, Inc.

Security policy administration

Network address translation

Source NAT configuration

Destination NAT configuration

13 | © 2019 Palo Alto Networks, Inc.

Policies > Security > Add Usage tab

Optional, for easier

Add audit comment listing

View the audit comments,

Default is Any; can add

15 | © 2019 Palo Alto Networks, Inc.

Default is any; can

16 | © 2019 Palo Alto Networks, Inc.

Default is Any; can add

17 | © 2019 Palo Alto Networks, Inc.

Default is Any; can

18 | © 2019 Palo Alto Networks, Inc.

Default is application- Default is Any; can

19 | © 2019 Palo Alto Networks, Inc.

20 | © 2019 Palo Alto Networks, Inc.

When rule was

Traffic over the

21 | © 2019 Palo Alto Networks, Inc.

• Policy rules may

22 | © 2019 Palo Alto Networks, Inc.

• Add, Delete, Clone, Override, Revert, Enable, Disable, Move options

• Creates a unique identifier for every Security policy rule

25 | © 2019 Palo Alto Networks, Inc.

26 | © 2019 Palo Alto Networks, Inc.

27 | © 2019 Palo Alto Networks, Inc.

Objects > Tags > Add

Filter for tag.

29 | © 2019 Palo Alto Networks, Inc.

• Service definitions are Objects > Services > Add

30 | © 2019 Palo Alto Networks, Inc.

31 | © 2019 Palo Alto Networks, Inc.

32 | © 2019 Palo Alto Networks, Inc.

33 | © 2019 Palo Alto Networks, Inc.

34 | © 2019 Palo Alto Networks, Inc.

View • Each Security policy rule