About rules in Palo Alto Networks® Panorama How

Transcription

About rules in Palo Alto Networks® Panorama How
About rules in Palo Alto Networks® Panorama
Policies can be defined in Panorama by creating either Pre Rules or Post Rules. Pre Rules and Post Rules
allow you to create a layered approach in implementing policy.
What are Pre Rules?
Pre rules are rules that are added to the top of the rule order and are evaluated first. You can use pre
rules to enforce the acceptable use policy for an organization; for example, to block access to specific
URL categories, or to allow DNS traffic for all users.
What are Post Rules
Post rules are rules that are added at the bottom of the rule order and are evaluated after the pre rules
and the rules locally defined on the device. Post rules typically include rules to deny access to traffic
based on the App ID, User ID, or Service.
How Operations Director uses rules in Panorama
Let us consider an example where an application has three tiers, Web, App, and DB. You want to secure
the data traffic between the following three tiers:



Web to App
Rule to secure communication between Web to App where the source is Web and the
destination is App. The action can be allow or deny. For allow action, the VM in the Web tier can
communicate with the VM in App tier.
App to DB
Rule to secure communication between App to DB where the source is App and the destination
is DB. The action can be allow or deny. For allow action, the VM in the App tier can
communicate with the VM in DB tier.
Any to Web
Rule to secure communication between Any to Web where the source is any VM belonging to a
specified IP range and the destination is Web. The action can be allow or deny. If the action is
allow, then the VM in the specified IP range can communicate with the VM in Web tier.
You must first create these dummy rules (Web to App, App to DB, and Any to Web) in Panorama for each
application type and application configuration as explained in Creating rules in Panorama with empty
groups. Dummy rules in Panorama must have application specific port/protocol details and traffic
restrictions defined. The source and destination address groups must be empty/any in the dummy rules.
When you configure Panorama with Operations Director, the three rules get imported as shown in the
above figure. You can select the appropriate rules for the three tiers and save the firewall template. For
more information refer the product online help.
Copyright © 2015 Symantec Corporation. All rights reserved.
1
Note: Rules that are created in Panorama before it is registered with Operations Director will be visible
in Operations Director only after Panorama is registered. Operations Director must be synchronized to
import Panorama policies if the rules are created after Panorama is registered with Operations Director.
Later, when creating the firewall template in Operations Director, you must map the dummy rules to the
firewall template on the Manage > Firewall templates page under Firewall Rules section as shown in
the following example.
After security provisioning is completed in Operations Director, notice that the address groups have
been cloned by Operations Director as Sharepoint_WebToApp_od_4, Sharepoint_ApptoDB_od_4, and
Sharepoint_AnyToWeb_od_4:
Notice that emptygroup address group is replaced by Operations Director at runtime with the actual
group:



A clone of the rule Sharepoint_WebToApp is created by the name
Sharepoint_WebToApp_od_4.
Emptygroup source and destination is replaced with Checkout-vApp_App_4.
A clone of rule Sharepoint_ApptoDB is created by the name Sharepoint_ApptoDB_od_4.
Emptygroup source and destination is replaced with Checkout-vApp_DB_4.
A clone of the rule Sharepoint_AnyToWeb is created by the name
Sharepoint_AnyToWeb_od_4.
The source 192.0.0.0-192.0.0.255 remains unchanged as a specific IP range was provided
however, the destination is replaced with Checkout-vApp_Web_4.
Creating empty address group in Panorama
To create empty groups:
Copyright © 2015 Symantec Corporation. All rights reserved.
2
1. Log in to Palo Alto Networks Panorama.
2. Go to Objects tab and select Address Groups in the left panel. Click Add in the bottom left of
the page to add the address group.
3. Type the name as Empty_Group for the empty address group that you are creating.
4. Select IP Range as the Type.
5. Type the IP range as 0.0.0.0-0.0.0.0 and click OK to create the empty group.
Once the empty group is created you must now create rules in Panorama using the empty group.
Copyright © 2015 Symantec Corporation. All rights reserved.
3
Creating rules in Panorama with empty groups
Let us assume for this example that the application is a Sharepoint.
To create Sharepoint Web to App rule with empty groups:
1. Log in to Panorama and go to Policies tab.
2. Click Add in the bottom left of the page.
3. Enter the name of the security policy rule under the General tab.
4. Under the Source tab, select the Source Zone as Any and the Source Address as the empty
group that you created.
Copyright © 2015 Symantec Corporation. All rights reserved.
4
5. Under the Destination tab select the Destination Zone as Any and the Destination Address as
the empty group that you created.
For this example, under the Application tab, select the application as Sharepoint.
Make sure to decide and select the appropriate information under the Service/URL Category, Actions,
and Target tabs or retain the default values as per your requirement. These values will be copied in the
rules created by Operations Director.
6. Click Ok to save the rule.
To create Sharepoint App to DB rule with empty group:
Follow the steps as explained above for the Source and Destination tabs.
For this example, under the Application tab, select the application as mssqldb.
Make sure to decide and select the appropriate information under the Service/URL Category, Actions,
and Target tabs or retain the default values. These values will be copied in the rules created by
Operations Director.
Click Ok to save the rule.
To create Sharepoint Any to Web rule with empty group:
1. Log in to Panorama and go to Policies tab.
2. Click Add in the bottom left of the page.
3. Under General tab, enter the name of the rule.
Copyright © 2015 Symantec Corporation. All rights reserved.
5
4. Under Source tab, select the Source Zone as Any.
5. The Source Address in the case of any to Web rule is not changed by Operations Director. It will
be copied as is in the rules created by Operations Director. Therefore, you must add the
appropriate source address as per your requirement.
To add the Source Address click Add and then select Address as shown in the following figure.
6. In the Address dialog box, enter a name, select the Type as IP Range and enter the IP address
range as shown in the following figure and click OK.
Copyright © 2015 Symantec Corporation. All rights reserved.
6
The Source tab should have the Source Zone and Source Address as shown in the following
figure.
7. Under the Destination tab, select the Destination Zone as any and the Destination Address as
Any as shown in the following figure.
Copyright © 2015 Symantec Corporation. All rights reserved.
7
8. Make sure to select the information under the Application, Service/URL Category, Actions, and
Target tabs as per your requirements.
9. Click OK to save the address group.
Note: The screen shots used in this document to explain the steps/example have been captured on Palo
Alto Network® Panorama version 6.1.0.
Copyright © 2015 Symantec Corporation. All rights reserved.
8