About rules in Palo Alto Networks® Panorama How
Transcription
About rules in Palo Alto Networks® Panorama How
About rules in Palo Alto Networks® Panorama Policies can be defined in Panorama by creating either Pre Rules or Post Rules. Pre Rules and Post Rules allow you to create a layered approach in implementing policy. What are Pre Rules? Pre rules are rules that are added to the top of the rule order and are evaluated first. You can use pre rules to enforce the acceptable use policy for an organization; for example, to block access to specific URL categories, or to allow DNS traffic for all users. What are Post Rules Post rules are rules that are added at the bottom of the rule order and are evaluated after the pre rules and the rules locally defined on the device. Post rules typically include rules to deny access to traffic based on the App ID, User ID, or Service. How Operations Director uses rules in Panorama Let us consider an example where an application has three tiers, Web, App, and DB. You want to secure the data traffic between the following three tiers: Web to App Rule to secure communication between Web to App where the source is Web and the destination is App. The action can be allow or deny. For allow action, the VM in the Web tier can communicate with the VM in App tier. App to DB Rule to secure communication between App to DB where the source is App and the destination is DB. The action can be allow or deny. For allow action, the VM in the App tier can communicate with the VM in DB tier. Any to Web Rule to secure communication between Any to Web where the source is any VM belonging to a specified IP range and the destination is Web. The action can be allow or deny. If the action is allow, then the VM in the specified IP range can communicate with the VM in Web tier. You must first create these dummy rules (Web to App, App to DB, and Any to Web) in Panorama for each application type and application configuration as explained in Creating rules in Panorama with empty groups. Dummy rules in Panorama must have application specific port/protocol details and traffic restrictions defined. The source and destination address groups must be empty/any in the dummy rules. When you configure Panorama with Operations Director, the three rules get imported as shown in the above figure. You can select the appropriate rules for the three tiers and save the firewall template. For more information refer the product online help. Copyright © 2015 Symantec Corporation. All rights reserved. 1 Note: Rules that are created in Panorama before it is registered with Operations Director will be visible in Operations Director only after Panorama is registered. Operations Director must be synchronized to import Panorama policies if the rules are created after Panorama is registered with Operations Director. Later, when creating the firewall template in Operations Director, you must map the dummy rules to the firewall template on the Manage > Firewall templates page under Firewall Rules section as shown in the following example. After security provisioning is completed in Operations Director, notice that the address groups have been cloned by Operations Director as Sharepoint_WebToApp_od_4, Sharepoint_ApptoDB_od_4, and Sharepoint_AnyToWeb_od_4: Notice that emptygroup address group is replaced by Operations Director at runtime with the actual group: A clone of the rule Sharepoint_WebToApp is created by the name Sharepoint_WebToApp_od_4. Emptygroup source and destination is replaced with Checkout-vApp_App_4. A clone of rule Sharepoint_ApptoDB is created by the name Sharepoint_ApptoDB_od_4. Emptygroup source and destination is replaced with Checkout-vApp_DB_4. A clone of the rule Sharepoint_AnyToWeb is created by the name Sharepoint_AnyToWeb_od_4. The source 192.0.0.0-192.0.0.255 remains unchanged as a specific IP range was provided however, the destination is replaced with Checkout-vApp_Web_4. Creating empty address group in Panorama To create empty groups: Copyright © 2015 Symantec Corporation. All rights reserved. 2 1. Log in to Palo Alto Networks Panorama. 2. Go to Objects tab and select Address Groups in the left panel. Click Add in the bottom left of the page to add the address group. 3. Type the name as Empty_Group for the empty address group that you are creating. 4. Select IP Range as the Type. 5. Type the IP range as 0.0.0.0-0.0.0.0 and click OK to create the empty group. Once the empty group is created you must now create rules in Panorama using the empty group. Copyright © 2015 Symantec Corporation. All rights reserved. 3 Creating rules in Panorama with empty groups Let us assume for this example that the application is a Sharepoint. To create Sharepoint Web to App rule with empty groups: 1. Log in to Panorama and go to Policies tab. 2. Click Add in the bottom left of the page. 3. Enter the name of the security policy rule under the General tab. 4. Under the Source tab, select the Source Zone as Any and the Source Address as the empty group that you created. Copyright © 2015 Symantec Corporation. All rights reserved. 4 5. Under the Destination tab select the Destination Zone as Any and the Destination Address as the empty group that you created. For this example, under the Application tab, select the application as Sharepoint. Make sure to decide and select the appropriate information under the Service/URL Category, Actions, and Target tabs or retain the default values as per your requirement. These values will be copied in the rules created by Operations Director. 6. Click Ok to save the rule. To create Sharepoint App to DB rule with empty group: Follow the steps as explained above for the Source and Destination tabs. For this example, under the Application tab, select the application as mssqldb. Make sure to decide and select the appropriate information under the Service/URL Category, Actions, and Target tabs or retain the default values. These values will be copied in the rules created by Operations Director. Click Ok to save the rule. To create Sharepoint Any to Web rule with empty group: 1. Log in to Panorama and go to Policies tab. 2. Click Add in the bottom left of the page. 3. Under General tab, enter the name of the rule. Copyright © 2015 Symantec Corporation. All rights reserved. 5 4. Under Source tab, select the Source Zone as Any. 5. The Source Address in the case of any to Web rule is not changed by Operations Director. It will be copied as is in the rules created by Operations Director. Therefore, you must add the appropriate source address as per your requirement. To add the Source Address click Add and then select Address as shown in the following figure. 6. In the Address dialog box, enter a name, select the Type as IP Range and enter the IP address range as shown in the following figure and click OK. Copyright © 2015 Symantec Corporation. All rights reserved. 6 The Source tab should have the Source Zone and Source Address as shown in the following figure. 7. Under the Destination tab, select the Destination Zone as any and the Destination Address as Any as shown in the following figure. Copyright © 2015 Symantec Corporation. All rights reserved. 7 8. Make sure to select the information under the Application, Service/URL Category, Actions, and Target tabs as per your requirements. 9. Click OK to save the address group. Note: The screen shots used in this document to explain the steps/example have been captured on Palo Alto Network® Panorama version 6.1.0. Copyright © 2015 Symantec Corporation. All rights reserved. 8