Configure a Palo Alto Security Policy

Objective: Create a security policy that gives internal users internet access.

Network Diagram

OBJECTS

Objects are ways to represent something else, in this case, IP address spaces. They simplify the tasks of creating policies.

For this task, it would be helpful to create an object for the IP address space used for the inside interface. This can be done in the process of creating a policy (credit to Palo Alto for the flexibility), but for now, these tasks will be separated to get a clearer view of how they are done.

Select the Objects tab and then choose the Addresses option from the menu on the left.

Click Add in the bottom left of the window.

Configure the object

Click OK.

SECURITY POLICY

Select the Policies tab, then choose Security from the left hand side menu.

Click Add in the bottom left of the window.

On the General tab:

Here we determine the type of policy. Interzone for traffic travelling between zones, Intrazone for traffic moving between different interfaces on the same zone, with Universal incorporating both options.

On the Source tab:

Here is where the source of the originating traffic is identified.

Within the Source Zone pane, click Add.

Within the Source Address pane, click Add, and select the Inside 10.0.0.0 object. You will also notice the option at the bottom of the drop down list to create new object addresses while there (instead of navigating back to the Objects tab).

Next, select the Destination tab.

Here, click Add and select the outside as the destination zone.

Next, select the Applications tab.

Here you can limit the traffic based on the applications you want to permit. For example, Web Services (Web-Browsing), SSL and DNS.

Click on the Add option for each application to be added to the list.

Next, select the Actions tab.

Specify the action to Allow (based on the previous conditions that have just been set). You can also add logging as an option.

Lastly, commit the changes.

Note: NAT/PAT will still need to be configured for network connectivity to be available for the inside zone.

SUMMARY

Thank you for visiting my tutorial page. For more tutorials, be sure to check IMCK Training for the latest updates.

1st & 2nd line IT training services.