Palo Alto Networks Knowledgebase: How to See Traffic from Default Security Policies in Traffic Logs

How to See Traffic from Default Security Policies in Traffic Logs

4843
Created On 09/25/18 17:39 PM - Last Updated 09/25/18 23:11 PM
Policy
Resolution

Pre PAN-OS 7.0

Overview

There are two default rules on the Palo Alto Networks firewall regarding security policies:

  1. Deny cross zone traffic
  2. Allow same zone traffic

By default, traffic that hits default policies will not get logged into traffic logs. Sometimes, troubleshooting traffic is required when it has the same source and destination zone, or see what traffic is being denied by the default rules before allowing the traffic.  To temporarily log the implied block rule, issue the following command:

> set system setting logging default-policy-logging <value>  (Value is 0-300 seconds)

Note: Beginning in PAN-OS 6.1, the two default policies are now displayed with a green background under Policies > Security.

Now rule matches intrazone traffic, interzone traffic, or both (called universal).  PANOS New Features

Details

There are a few ways to see the traffic in the traffic logs:

For Same Zone Traffic

  • Go to Policies > Security and create security policies that allow traffic sourced and destined for the Same Zone as the example below indicates:
    Trust Trust.PNG.png

For Cross Zone Traffic

  • Go to Policies > Security and create an open rule that allows the crossing of the zones wanted in order to see the traffic.
    overall.PNG.png

Important:  It may not be desired to allow all Untrusted traffic into the Trusted zones of the network, as the above policies indicate since the goal is to keep the network secure. Therefore, using a Deny All policy would log off all traffic that is not allowed by the policy, in a clean up rule as denied, to see what rules would need to be specifically created without allowing it initially. The following point is an example of a Deny All policy.

Deny All

  • The example shown below indicate specifically allowing only GlobalProtect in from the outside. It would allow all trust and DMZ traffic out, all internally trusted cross traffic and allowing for Same Zone traffic when using a Deny All policy. Any traffic that does not match the policies above the Deny All rule will get caught by the Deny All policy and logged as denied.
    Deny all.PNG.png
  • See the denied traffic in the traffic logs and view traffic that would specifically need to be allowed according to the traffic logs of what is denied, without allowing anything new into the network and compromising the network with unwanted traffic.
    Note: Creating a Deny All policy will override the default policy that allows Same Zone traffic. For more information, review the following document: Any/Any/Deny Security Rule Changes Default Behavior.

Post PAN-OS 7.0

Starting from PAN-OS 7.0 intrazone and interzone security policy has been made visible in the security policy and can be edited to enable logging

2015-07-29_23-07-42.png

2015-07-29_23-08-09.png

owner: glasater



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHkCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language