Defaults

Defaults#

This document provides an overview of the default policy supplied with the project, including URL categories and App-ID subcategories and their associated actions in the firewall policy.

Warning

You must review all these defaults and modify them to meet your specific requirements.

Security Policy Sections#

PRE#

The top part of the firewall security policy (that corresponds to the PRE section of the target Panorama device group) is generated based on the static rules defined in the subfolders of the ngfw/policies/security/PRE folder.

Each subfolder represents a logical section of the policy. Each section is characterized by the following distinctive attributes:

  • Purpose (indicated by the Group Tag assigned to all rules in the section)

  • Rule defaults

The policy rules in each section are defined in the corresponding rules.py file. It starts with defining default values for all rule attributes. These defaults are followed by the actual rules that effectively describe the deviation from the section defaults.

There are 7 sections in the PRE section of the default policy:

  • DNS Security - Rules that secure DNS name resolution traffic by enforcing the use of approved DNS servers, blocking DNS over HTTPS (DoH) and DNS over TLS (DoT) to prevent DNS tunneling, and ensuring proper DNS security controls are in place.

  • Infrastructure essentials - Rules that secure the minimal traffic required for proper functioning of firewalls and network infrastructure. This includes time synchronization services, certificate revocation checks (OCSP), endpoint detection and response (EDR) software, operating system connectivity checks, firewall helper applications, network troubleshooting tools, and communication between Palo Alto firewalls and cloud services.

  • Break-glass - Emergency bypass rules designed to temporarily circumvent security controls during critical situations. These rules use External Dynamic Lists (EDL) to provide source IP-based, destination IP-based, and URL-based bypasses that can be activated only in exceptional circumstances when immediate access is required.

  • Incident response - Rules designed for security operations teams to respond to active threats and security incidents. This section includes blocking rules for known malicious source and destination IPs, URL-based blocking for malicious websites, and automatic isolation of compromised hosts based on command and control (C&C) traffic detection using Dynamic Address Groups (DAG).

  • Block lists - Baseline security blocking rules that use threat intelligence feeds to deny connections to and from known malicious entities. This includes blocking traffic to/from Palo Alto Networks threat feeds (bulletproof hosting, high-risk IPs, known malicious IPs, and Tor exit nodes) as well as geo-location based blocking for sanctioned countries and regions.

  • Infrastructure applications - Rules that allow access to core organizational infrastructure applications necessary for basic business operations. This includes IT service desk systems (ServiceNow), controlled download of restricted file types from approved websites, endpoint software updates, and endpoint management platforms for Windows (Microsoft Intune) and macOS (Jamf).

  • Business applications - Rules that govern access to business-specific applications and services used by authenticated users. This includes organization-specific trusted web applications, legacy custom applications, pre-approved business tools, comprehensive GitHub access (including AI features and Git operations), Microsoft 365 suite access with various security categories, and content delivery network services.

POST#

The bottom part of the firewall security policy (that corresponds to the POST section of the target Panorama device group) is dynamically generated based on the business requirements specified in the following two files:

  • requirements/categories_app.csv

  • requirements/categories_url.csv

The following two diagrams visualize the relationship between App-ID or URL categories, their associated User-IDs, approvers, and assigned actions in the firewall policy:

Open in new windowOpen in new window

Naming Conventions#

This section describes the naming conventions used for all objects referenced by the security or decryption policy:

Object Type

Prefix

Example

Address (network)

N-

N-rfc_1918-10.0.0.0_8

Address (host)

H-

H-open_dns-208.67.222.222_32

Address (FQDN)

FQDN-

FQDN-time.apple.com

Address group

AG-

AG-rfc_1918

Dynamic address group

DAG-

DAG-domain-controllers

Service object

SVC-

SVC-udp-53

Application group

APG-

APG-file-sharing

Custom application

APP-

APP-windows-conn-check

External dynamic list

EDL-

EDL-URL-no_decryption_dst

Custom URL category (list)

UCL-

UCL-acme-generic-app

Custom URL category (match)

UCM-

UCM-comp-inet-info_low-risk

Security profile group

PG-

PG-apps-risky

Antivirus profile

AVP-

AVP-default

Anti-spyware profile

ASP-

ASP-strict

Vulnerability profile

VPP-

VPP-default

File blocking profile

FBP-

FBP-log-only

URL filtering profile

UFP-

UFP-log-only

WildFire profile

WFP-

WFP-default

Data filtering profile

DFP-

DFP-default

Decryption profile

DP-

DP-no_decryption

Log forwarding profile

LFP-

LFP-default

User group

UG-

UG-decryption_break-glass
Contents