When to use Pre and Post Security Rules in Panorama

NETSums

23 Jun 202312:00

Summary

TLDRThis video explains how Palo Alto firewalls process security rules, both pre and post, when managed via Panorama. The speaker, Ricardo, details the order in which rules are processed, from shared rules to device-specific rules. He highlights the importance of understanding the hierarchy and structure of device groups and offers insights into when to use pre-rules versus post-rules. As a bonus, Ricardo advises using post-rules for flexibility, allowing local firewall configurations to override Panorama rules in case of disconnection or issues, ensuring more control over security policies.

Takeaways

📊 Panorama is a management appliance from Palo Alto, used to configure multiple firewalls through a single web interface.
📜 Panorama allows users to create pre-rules and post-rules that dictate how firewall security policies are processed.
🔄 Firewalls process rules from top to bottom, with pre-rules taking precedence over local rules and post-rules applied after local rules.
🌍 Pre-rules are processed from the most general (shared) to the most specific, while post-rules follow the opposite order.
🏙 Device groups in Panorama allow organizing rules by regions or branches, with up to four levels of hierarchy (e.g., shared, branches, NAM, East, New York).
⚠️ Pre-rules are applied before any local firewall configurations, and post-rules are applied afterward.
🔐 Shared pre-rules can be used for global policies, such as blocking malware based on Palo Alto's threat feeds.
🔧 If pre-rules from Panorama are too restrictive, they cannot be overridden by local firewall rules, making post-rules safer for configurations that might need local adjustments.
💡 Using post-rules allows flexibility in case of Panorama connection loss, as local firewall rules can still be configured.
📝 It's recommended to use shared pre-rules for global deny policies and post-rules for more specific, localized configurations.

Q & A

What is Panorama in the context of Palo Alto firewalls?
-Panorama is a management appliance from Palo Alto that allows you to configure multiple firewalls using the same web interface, enabling the pushing of the same configuration to many devices instead of configuring each one individually.
How does a Palo Alto firewall process security rules when configured through Panorama?
-A Palo Alto firewall processes rules from top to bottom until it finds a match. When using Panorama, the firewall processes pre-rules first, then local rules, followed by post-rules, and finally default rules.
What is the difference between pre-rules and post-rules in Panorama?
-Pre-rules are processed before local firewall rules and post-rules. They are used for more general rules that should be applied across devices. Post-rules, on the other hand, are processed after local firewall rules and are often more specific, applied after all local and pre-rules are evaluated.
What happens if a rule is configured in both pre-rules and post-rules?
-If the same rule is configured in both pre-rules and post-rules, the pre-rule will take precedence. The firewall processes pre-rules first, and once a match is found, it stops evaluating other rules, making the post-rule irrelevant in this case.
How do device groups affect the order of rule processing in Panorama?
-Device groups in Panorama allow you to organize firewalls into hierarchical structures. Pre-rules are processed from the most general group (shared) to the most specific group (e.g., a local branch), while post-rules are processed in the opposite order, from the most specific to the most general.
What is the advantage of using post-rules over pre-rules when configuring rules in Panorama?
-Using post-rules allows for more flexibility, as local rules configured directly on the firewall can still take precedence over Panorama's post-rules. This ensures that if a connection to Panorama is lost or Panorama pushes an incorrect configuration, local rules can still override them.
Why is it recommended to use shared pre-rules for global deny rules?
-Shared pre-rules are ideal for implementing global deny rules because they are processed first and applied across all firewalls. This is useful for rules like denying malware targets or other threats using Palo Alto feeds, which need to be consistently enforced across the network.
What is the potential risk of pushing deny rules as pre-rules from Panorama?
-If you push deny rules as pre-rules from Panorama, you may lose the ability to override these rules locally on the firewall. Since pre-rules take precedence over local rules, a deny-any rule in the pre-rules could block important traffic, and local rules wouldn't be able to override it.
How does Panorama handle rule processing when device groups have multiple levels?
-Panorama supports up to four levels of device groups. Rules are processed based on the hierarchy, with pre-rules starting from the shared level and going down to the most specific device group. Post-rules are processed in reverse, starting from the most specific group and moving up to shared.
What should you do if you accidentally push a wrong rule from Panorama that breaks connectivity?
-If you push an incorrect rule from Panorama and lose connectivity, using post-rules provides an advantage because local rules can still override Panorama's post-rules. This allows you to fix configurations directly on the firewall even if Panorama becomes unreachable.