Internet Gateway Best Practices
Internet Gateway Best Practices
Internet Gateway Best Practices
Policy
Version 8.0
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2018-2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
April 18, 2018
5
6 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy
© 2018 Palo Alto Networks, Inc.
What Is a Best Practice Internet Gateway
Security Policy?
A best practice internet gateway security policy has two main security goals:
• Minimize the chance of a successful intrusion—Unlike legacy port-based security policies that either
block everything in the interest of network security, or enable everything in the interest of your
business, a best practice security policy leverages App-ID, User-ID, and Content-ID to ensure safe
enablement of applications across all ports, for all users, all the time, while simultaneously scanning all
traffic for both known and unknown threats.
• Identify the presence of an attacker—A best practice internet gateway security policy provides built-in
mechanisms to help you identify gaps in the rulebase and detect alarming activity and potential threats
on your network.
To achieve these goals, the best practice internet gateway security policy uses application-based rules to
allow access to whitelisted applications by user, while scanning all traffic to detect and block all known
threats, and send unknown files to WildFire to identify new threats and generate signatures to block them:
The best practice policy is based on the following methodologies. The best practice methodologies ensure
detection and prevention at multiple stages of the attack life cycle.
Inspect All Traffic for Because you cannot protect against threats you cannot see, you must
Visibility make sure you have full visibility into all traffic across all users and
applications all the time. To accomplish this:
• Deploy GlobalProtect to extend the next-generation security platform
to users and devices no matter where they are located.
• Enable SSL decryption so the firewall can inspect encrypted traffic
(SSL/TLS traffic flows account for 40% or more of the total traffic on a
typical network today).
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 7
© 2018 Palo Alto Networks, Inc.
Best Practice Methodology Why is this important?
• Enable User-ID to map application traffic and associated threats to
users/devices.
The firewall can then inspect all traffic—inclusive of applications, threats,
and content—and tie it to the user, regardless of location or device type,
port, encryption, or evasive techniques employed using the native App-ID,
Content-ID, and User-ID technologies.
Complete visibility into the applications, the content, and the users on
your network is the first step toward informed policy control.
Reduce the Attack Surface After you have context into the traffic on your network—applications,
their associated content, and the users who are accessing them—create
application-based Security policy rules to allow those applications that
are critical to your business and additional rules to block all high-risk
applications that have no legitimate use case.
To further reduce your attack surface, enable attach File Blocking and URL
Filtering profiles to all rules that allow application traffic to prevent users
from visiting threat-prone web sites and prevent them from uploading or
downloading dangerous file types (either knowingly or unknowingly). To
prevent attackers from executing successful phishing attacks (the cheapest
and easiest way for them to make their way into your network), configure
credential phishing prevention.
Prevent Known Threats Enable the firewall to scan all allowed traffic for known threats by
attaching security profiles to all allow rules to detect and block network
and application layer vulnerability exploits, buffer overflows, DoS
attacks, and port scans, known malware variants, (including those hidden
within compressed files or compressed HTTP/HTTPS traffic). To enable
inspection of encrypted traffic, enable SSL decryption.
In addition to application-based Security policy rules, create rules for
blocking known malicious IP addresses based on threat intelligence from
Palo Alto Networks and reputable third-party feeds.
Detect Unknown Threats Forward all unknown files to WildFire for analysis. WildFire identifies
unknown or targeted malware (also called advanced persistent threats or
APTs) hidden within files by directly observing and executing unknown
files in a virtualized sandbox environment in the cloud or on the WildFire
appliance. WildFire monitors more than 250 malicious behaviors and, if
it finds malware, it automatically develops a signature and delivers it to
you in as little as five minutes (and now that unknown threat is a known
threat).
8 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy
© 2018 Palo Alto Networks, Inc.
Why Do I Need a Best Practice Internet
Gateway Security Policy?
Unlike legacy port-based security policies that either block everything in the interest of network security,
or enable everything in the interest of your business, a best practice security policy allows you to safely
enable applications by classifying all traffic, across all ports, all the time, including encrypted traffic. By
determining the business use case for each application, you can create security policy rules to allow and
protect access to relevant applications. Simply put, a best practice security policy is a policy that leverages
the next-generation technologies—App-ID, Content-ID, and User-ID—on the Palo Alto Networks enterprise
security platform to:
• Identify applications regardless of port, protocol, evasive tactic or encryption
• Identify and control users regardless of IP address, location, or device
• Protect against known and unknown application-borne threats
• Provide fine-grained visibility and policy control over application access and functionality
A best practice security policy uses a layered approach to ensure that you not only safely enable sanctioned
applications, but also block applications with no legitimate use case. To mitigate the risk of breaking
applications when moving from a port-based enforcement to an application-based enforcement, the
best-practice rulebase provides built-in mechanisms to help you identify gaps in the rulebase and detect
alarming activity and potential threats on your network. These temporary best practice rules ensure that
applications your users are counting on don’t break, while allowing you to monitor application usage and
craft appropriate rules. You may find that some of the applications that were being allowed through existing
port-based policy rules are not necessarily applications that you want to continue to allow or that you want
to limit to a more granular set of users.
Unlike a port-based policy, a best-practice security policy is easy to administer and maintain because each
rule meets a specific goal of allowing an application or group of applications to a specific user group based
on your business needs. Therefore, you can easily understand what traffic the rule enforces by looking at
the match criteria. Additionally, a best-practice security policy rulebase leverages tags and objects to make
the rulebase more scannable and easier to keep synchronized with your changing environment.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 9
© 2018 Palo Alto Networks, Inc.
How Do I Deploy a Best Practice Internet
Gateway Security Policy?
Moving from a port-based security policy to an application-based security policy may seem like a daunting
task. However, the security risks of sticking with a port-based policy far outweigh the effort required to
implement an application-based policy. And, while legacy port-based security policies may have hundreds,
if not thousands of rules (many of which nobody in the organization knows the purpose), a best practice
policy has a streamlined set of rules that align with your business goals, simplifying administration and
reducing the chance of error. Because the rules in an application-based policy align with your business goals
and acceptable use policies, you can quickly scan the policy to understand the reason for each and every
rule.
As with any technology, there is usually a gradual approach to a complete implementation, consisting of
carefully planned deployment phases to make the transition as smooth as possible, with minimal impact to
your end users. Generally, the workflow for implementing a best practice internet gateway security policy
is:
Assess your business and identify what you need to protect—The first step in deploying a security
architecture is to assess your business and identify what your most valuable assets are as well as what
the biggest threats to those assets are. For example, if you are a technology company, your intellectual
property is your most valuable asset. In this case, one of your biggest threats would be source code
theft.
Segment Your Network Using Interfaces and Zones—Traffic cannot flow between zones unless there
is a security policy rule to allow it. One of the easiest defenses against lateral movement of an attacker
that has made its way into your network is to define granular zones and only allow access to the specific
user groups who need to access an application or resource in each zone. By segmenting your network
into granular zones, you can prevent an attacker from establishing a communication channel within your
network (either via malware or by exploiting legitimate applications), thereby reducing the likelihood of a
successful attack on your network.
Identify Whitelist Applications—Before you can create an internet gateway best practice security policy,
you must have an inventory of the applications you want to allow on your network, and distinguish
between those applications you administer and officially sanction and those that you simply want users
to be able to use safely. After you identify the applications (including general types of applications) you
want to allow, you can map them to specific best practice rules.
Create User Groups for Access to Whitelist Applications—After you identify the applications you plan to
allow, you must identify the user groups that require access to each one. Because compromising an end
user’s system is one of the cheapest and easiest ways for an attacker to gain access to your network, you
can greatly reduce your attack surface by only allowing access to applications to the user groups that
have a legitimate business need.
Decrypt Traffic for Full Visibility and Threat Inspection—You can’t inspect traffic for threats if you can’t
see it. And today SSL/TLS traffic flows account for 40% or more of the total traffic on a typical network.
This is precisely why encrypted traffic is a common way for attackers to deliver threats. For example,
an attacker may use a web application such as Gmail, which uses SSL encryption, to email an exploit
or malware to employees accessing that application on the corporate network. Or, an attacker may
compromise a web site that uses SSL encryption to silently download an exploit or malware to site
visitors. If you are not decrypting traffic for visibility and threat inspection, you are leaving a very large
surface open for attack.
Create Best Practice Security Profiles for the Internet Gateway—Command and control traffic, CVEs,
drive-by downloads of malicious content, phishing attacks, APTs are all delivered via legitimate
applications. To protect against known and unknown threats, you must attach stringent security profiles
to all Security policy allow rules.
10 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
Define the Initial Internet Gateway Security Policy—Using the application and user group inventory
you conducted, you can define an initial policy that allows access to all of the applications you want to
whitelist by user or user group. The initial policy rulebase you create must also include rules for blocking
known malicious IP addresses, as well as temporary rules to prevent other applications you might not
have known about from breaking and to identify policy gaps and security holes in your existing design.
Monitor and Fine Tune the Policy Rulebase—After the temporary rules are in place, you can begin
monitoring traffic that matches to them so that you can fine tune your policy. Because the temporary
rules are designed to uncover unexpected traffic on the network, such as traffic running on non-default
ports or traffic from unknown users, you must assess the traffic matching these rules and adjust your
application allow rules accordingly.
Remove the Temporary Rules—After a monitoring period of several months, you should see less and less
traffic hitting the temporary rules. When you reach the point where traffic no longer hits the temporary
rules, you can remove them to complete your best practice internet gateway security policy.
Maintain the Rulebase—Due to the dynamic nature of applications, you must continually monitor your
application whitelist and adapt your rules to accommodate new applications that you decide to sanction
as well to determine how new or modified App-IDs impact your policy. Because the rules in a best
practice rulebase align with your business goals and leverage policy objects for simplified administration,
adding support for a new sanctioned application or new or modified App-ID oftentimes is as simple as
adding or removing an application from an application group or modifying an application filter.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 11
© 2018 Palo Alto Networks, Inc.
Identify Whitelist Applications
The application whitelist includes not only the applications you provision and administer for business and
infrastructure purposes, but also other applications that your users may need to use in order to get their
jobs done, and applications you may choose to allow for personal use. Before you can begin creating your
best practice internet gateway security policy, you must create an inventory of the applications you want to
whitelist.
• Map Applications to Business Goals for a Simplified Rulebase
• Use Temporary Rules to Tune the Whitelist
• Application Whitelist Example
12 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
• Temporary allow rules to give you visibility into all of the applications running on your network so that
you can tune the rulebase.
The temporary rules are a very important part of the initial best practice rulebase. Not only will they give
you visibility into applications you weren’t aware were running on your network (and prevent legitimate
applications you didn’t know about from breaking), but they will also help you identify things such as
unknown users and applications running on non-standard ports. Because attackers commonly use standard
applications on non-standard ports as an evasion technique, allowing applications on any port opens
the door for malicious content. Therefore, you must identify any legitimate applications running on non-
standard ports (for example, internally developed applications) so that you can either modify what ports are
used or create a custom applications to enable them.
Sanctioned These are the applications that your IT department administers specifically
Applications for business use within your organization or to provide infrastructure for your
network and applications. For example, in an internet gateway deployment
these applications fall into the following categories:
• Infrastructure Applications—These are the applications that you must allow
to enable networking and security, such as ping, NTP, SMTP, and DNS.
• IT Sanctioned Applications—These are the applications that you provision
and administer for your users. These fall into two categories:
• IT Sanctioned On-Premise Applications—These are the applications you
install and host in your data center for business use. With IT sanctioned
on-premise applications, the application infrastructure and the data reside
on enterprise-owned equipment. Examples include Microsoft Exchange
and active sync, as well as authentication tools such as Kerberos and
LDAP.
• IT Sanctioned SaaS Applications—SaaS applications are those where the
software and infrastructure are owned and managed by the application
service provider, but where you retain full control of the data, including
who can create, access, share, and transfer it (for example, Salesforce,
Box, and GitHub).
• Administrative Applications—These are applications that only a specific
group of administrative users should have access to in order to administer
applications and support users (for example, remote desktop applications).
General Types of Besides the applications you officially sanction and deploy, you will also want to
Applications allow your users to safely use other types of applications:
• General Business Applications—For example, allow access to software
updates, and web services, such as WebEx, Adobe online services, and
Evernote.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 13
© 2018 Palo Alto Networks, Inc.
Application Type Best Practice for Securing
• Personal Applications—For example, you may want to allow your users to
browse the web or safely use web-based mail, instant messaging, or social
networking applications.
The recommended approach here is to begin with wide application filters
so you can gain an understanding of what applications are in use on your
network. You can then decide how much risk you are willing to assume and
begin to pare down the application whitelist. For example, suppose you find that
Box, Dropbox, and Office 365 file-sharing applications are all on use on your
network. Each of these applications has an inherent risk associated with it, from
data leakage to risks associated with transfer of malware-infected files. The best
approach would be to officially sanction a single file-sharing application and
then begin to phase out the others by slowly transitioning from an allow policy
to an alert policy, and finally, after giving users ample warning, a block policy
for all file sharing applications except the one you choose to sanction. In this
case, you might also choose to enable a small group of users to continue using
an additional file-sharing application as needed to perform job functions with
partners.
Custom Applications If you have proprietary applications on your network or applications that you
Specific to Your run on non-standard ports, it is a best practice to create custom applications
Environment for each of them. This way you can allow the application as a sanctioned
application and lock it down to its default port. Otherwise you would either
have to open up additional ports (for applications running on non-standard
ports), or allow unknown traffic (for proprietary applications), neither of which
are recommended in a best practice Security policy.
14 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
Create User Groups for Access to Whitelist
Applications
Safely enabling applications means not only defining the list of applications you want to allow, but also
enabling access only for those users who have a legitimate business need. For example, some applications,
such as SaaS applications that enable access to Human Resources services (such as Workday or Service
Now) must be available to any known user on your network. However, for more sensitive applications you
can reduce your attack surface by ensuring that only users who need these applications can access them.
For example, while IT support personnel may legitimately need access to remote desktop applications, the
majority of your users do not. Limiting user access to applications prevents potential security holes for an
attacker to gain access to and control over systems in your network.
To enable user-based access to applications:
Enable User-ID in zones from which your users initiate traffic.
For each application whitelist rule you define, identify the user groups that have a legitimate business
need for the applications allowed by the rule. Keep in mind that because the best practice approach is
to map the application whitelist rules to your business goals (which includes considering which users
have a business need for a particular type of application), you will have a much smaller number of rules
to manage than if you were trying to map individual port-based rules to users.
If you don’t have an existing group on your AD server, you can alternatively create custom LDAP groups
to match the list of users who need access to a particular application.
It just takes one end user to click on a phishing link and supply their credentials to enable an attacker to
gain access to your network. To defend against this very simple and effective attack technique, Set up
credential phishing protection on all of your Security policy rules that allow user access to the internet.
Configure credential detection with the Windows-based User-ID agent to ensure that you can detect
when your users are submitting their corporate credentials to a site in an unauthorized category.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 15
© 2018 Palo Alto Networks, Inc.
Decrypt Traffic for Full Visibility and Threat
Inspection
The best practice security policy dictates that you decrypt all traffic except sensitive categories, which
include Health, Finance, Government, Military, and Shopping.
Use decryption exceptions only where required, and be precise to ensure that you are limiting the exception
to a specific application or user based on need only:
• If decryption breaks an important application, create an exception for the specific IP address, domain, or
common name in the certificate associated with the application.
• If a specific user needs to be excluded for regulatory or legal reasons, create an exception for just that
user.
To ensure that certificates presented during SSL decryption are valid, configure the firewall to perform
CRL/OCSP checks.
Best practice Decryption policy rules include a strict Decryption Profile. Before you configure SSL Forward
Proxy, create a best practice Decryption Profile (Objects > Decryption Profile) to attach to your Decryption
policy rules:
STEP 1 | Configure the SSL Decryption > SSL Forward Proxy settings to block exceptions during SSL
negotiation and block sessions that can’t be decrypted:
STEP 2 | Configure the SSL Decryption > SSL Protocol Settings to block use of vulnerable SSL/TLS
versions (TLS 1.0 and SSLv3) and to avoid weak algorithms (MD5, RC4, and 3DES):
16 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
STEP 3 | For traffic that you are not decrypting, configure the No Decryption settings to block
encrypted sessions to sites with expired certificates or untrusted issuers:
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 17
© 2018 Palo Alto Networks, Inc.
Create Best Practice Security Profiles for the
Internet Gateway
Most malware sneaks onto the network in legitimate applications or services. Therefore, to safely enable
applications you must scan all traffic allowed into the network for threats. To do this, attach security
profiles to all Security policy rules that allow traffic so that you can detect threats—both known and
unknown—in your network traffic. The following are the recommended best practice settings for each of
the security profiles that you should attach to every Security policy rule on your internet gateway policy
rulebase.
Consider adding the best practice security profiles to a default security profile group so that it
will automatically attach to any new Security policy rules you create.
18 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
Why do I need this profile?
There are many ways for attackers to deliver malicious files: as attachments or links in corporate email or
in webmail, links or IMs in social media, Exploit Kits, through file sharing applications (such as FTP, Google
Drive, or Dropbox), or on USB drives. Attaching the strict file blocking profile reduces your attack surface by
preventing these types of attacks.
What if I can’t block all of the file types covered in the predefined strict profile?
If you have mission-critical applications that prevent you from blocking all of the file types included in the
predefined strict profile, you can clone the profile and modify it for those users who must transfer a file
type covered by the predefined profile. If you choose not to block all PE files per the recommendation,
make sure you send all unknown files to WildFire for analysis. Additionally, set the Action to continue to
prevent drive-by downloads, which is when an end user downloads content that installs malicious files, such
as Java applets or executables, without knowing they are doing it. Drive-by downloads can occur when
users visit web sites, view email messages, or click into pop-up windows meant to deceive them. Educate
your users that if they are prompted to continue with a file transfer they didn’t knowingly initiate, they may
be subject to a malicious download. In addition, using file blocking in conjunction with URL filtering to limit
the categories in which users can transfer files is another good way to reduce the attack surface when you
find it necessary to allow file types that may carry threats.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 19
© 2018 Palo Alto Networks, Inc.
Best Practice Internet Gateway Vulnerability Protection Profile
Attach a Vulnerability Protection profile to all allowed traffic to protect against buffer overflows, illegal
code execution, and other attempts to exploit client- and server-side vulnerabilities. The best practice
profile is a clone of the predefined Strict profile, with single-packet capture (PCAP) settings enabled to help
you track down the source of any potential attacks.
20 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
Don’t enable PCAP for informational activity because it generates a relatively high volume of that traffic
and it’s not particularly useful compared to potential threats. Apply extended PCAP (as opposed to single
PCAP) to high-value traffic to which you apply the alert Action. Apply PCAP using the same logic you use
to decide what traffic to log—take PCAPs of the traffic you log. Apply single PCAP to traffic you block. The
default number of packets that extended PCAP records and sends to the management plane is five packets,
which is the recommended value. In most cases, capturing five packets provides enough information to
analyze the threat. If too much PCAP traffic is sent to the management plane, then capturing more than five
packets may result in dropping PCAPs.
To create this profile, clone the predefined strict profile and make sure to enable DNS sinkhole and packet
capture to help you track down the endpoint that attempted to resolve the malicious domain.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 21
© 2018 Palo Alto Networks, Inc.
Best Practice Internet Gateway URL Filtering Profile
As a best practice, use PAN-DB URL filtering to prevent access to web content that is at high-risk for being
malicious. Attach a URL Filtering profile to all rules that allow access to web-based applications to protect
against URLs that have been observed hosting malware or exploitive content.
The best practice URL Filtering profile sets all known dangerous URL categories to block. These include
command-and-control, copyright-infringement, dynamic-dns, extremism, malware, phishing, proxy-
avoidance-and-anonymizers, unknown, and parked. Failure to block these dangerous categories puts you at
risk for exploit infiltration, malware download, command and control activity, and data exfiltration.
In addition to blocking known bad categories, you should also alert on all other categories so that you
have visibility into the sites your users are visiting. If you need to phase in a block policy, set categories
to continue and create a custom response page to educate users on your acceptable use policies and
alert them to the fact that they are visiting a site that may pose a threat. This will pave the way for you to
outright block the categories after a monitoring period.
22 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
• copyright-infringement—Domains with illegal content, such as content that allows illegal download
of software or other intellectual property. This category was introduced to enable adherence to child
protection laws required in the education industry as well as laws in countries that require internet
providers to prevent users from sharing copyrighted material through their service.
• extremism—Websites promoting terrorism, racism, fascism or other extremist views discriminating
people or groups of different ethnic backgrounds, religions or other beliefs. This category was
introduced to enable adherence to child protection laws required in the education industry.
• parked—Domains registered by individuals, oftentimes later found to be used for credential phishing.
These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the
intent of phishing for credentials or personal identify information. Or, they may be domains that an
individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 23
© 2018 Palo Alto Networks, Inc.
Define the Initial Internet Gateway Security
Policy
The overall goal of a best practice internet gateway security policy is to use positive enforcement of
whitelist applications. However, it takes some time to identify exactly what applications are running on your
network, which of these applications are critical to your business, and who the users are that need access to
each one. The best way to accomplish the end goal of a policy rulebase that includes only application allow
rules is to create an initial policy rulebase that liberally allows both the applications you officially provision
for your users as well as other general business and, if appropriate, personal applications. This initial policy
also includes additional rules that explicitly block known malicious IP addresses, bad applications as well as
some temporary allow rules that are designed to help you refine your policy and prevent applications your
users may need from breaking while you transition to the best practices.
The following topics describe how to create the initial rulebase and describe why each rule is necessary and
what the risks are of not following the best practice recommendation:
• Step 1: Create Rules Based on Trusted Threat Intelligence Sources
• Step 2: Create the Application Whitelist Rules
• Step 3: Create the Application Block Rules
• Step 4: Create the Temporary Tuning Rules
• Step 5: Enable Logging for Traffic that Doesn’t Match Any Rules
STEP 1 | Block traffic to and from IP addresses that Palo Alto Networks has identified as malicious.
This rule protects you against IP addresses • One rule blocks outbound traffic to known
that Palo Alto Networks has proven to be malicious IP addresses, while another rule
used almost exclusively to distribute malware, blocks inbound traffic to those addresses.
initiate command-and-control activity, and • Set the external dynamic list Palo Alto
launch attacks. Networks - Known malicious IP addresses
as the Destination address for the outbound
traffic rule, and as the Source address for the
inbound traffic rule.
• Deny traffic that match these rules.
• Enable logging for traffic matching these rules
so that you can investigate potential threats
on your network.
• Because these rules are intended to catch
malicious traffic, it matches to traffic from any
user running on any port.
24 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
STEP 2 | Log traffic to and from high-risk IP addresses from trusted threat advisories.
Although Palo Alto Networks has no direct • One rule logs outbound traffic to high-risk IP
evidence of the maliciousness of the IP addresses, while another rule logs inbound
addresses in the high-risk IP address feed, traffic to those addresses.
you should monitor these IP addresses • Set the external dynamic list Palo Alto
since threat advisories have linked them to Networks - High risk IP addresses as the
malicious behavior. Destination address for the outbound traffic
You can use these rules to filter your Traffic rule, and as the Source address for the
logs and decide whether to block high-risk IP inbound traffic rule.
addresses based on the log activity. • Allow access for traffic matching this rule, but
enable logging so that you can investigate a
potential threat on your network.
• Because this rule is intended to catch
malicious traffic, it matches to traffic from any
user running on any port.
STEP 3 | (MineMeld users only) Block traffic from inbound IP addresses that trusted third-party feeds
have identified as malicious.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 25
© 2018 Palo Alto Networks, Inc.
Why do I need this rule? Rule Highlights
applications and potential threats on your
network.
• Because this rule is intended to catch
malicious traffic, it matches to traffic from any
user running on any port.
Access to DNS is required to provide network • Because this rule is very specific, place it at the top
infrastructure services, but it is commonly of the rulebase.
exploited by attackers. • Create an address object to use for the destination
Allowing access only on your internal DNS server address to ensure that users only access the DNS
reduces your attack surface. server in your data center.
• Because users will need access to these services
before they are logged in, you must allow access to
any user.
26 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
STEP 2 | Allow access to other required IT infrastructure resources.
Enable the applications that provide your network • Because these applications run on the default port,
infrastructure and management functions, such as allow access to any user (users may not yet be a
NTP, OCSP, STUN, and ping. known-user because of when these services are
While DNS traffic allowed in the preceding rule is needed), and all have a destination address of any,
restricted to the destination address in the data contain them in a single application group and
center, these applications may not reside in your create a single rule to enable access to all of them.
data center and therefore require a separate rule. • Users may not have logged in yet at the time they
need access to the infrastructure applications, so
make sure this rule allows access to any user.
With SaaS applications, your proprietary data is in • Create an application group to group all sanctioned
the cloud. This rule ensures that only your known SaaS applications.
users have access to these applications (and the • SaaS applications should always run on the
underlying data). application default port.
Scan allowed SaaS traffic for threats. • Restrict access to your known users. See Create
User Groups for Access to Whitelist Applications.
Business-critical data center applications are • Create an application group to group all data
often leveraged in attacks during the exfiltration center applications.
stage, using applications such as FTP, or in the • Create an address group for your data center
lateral movement stage by exploiting application server addresses.
vulnerabilities. • Restrict access to your known users. See Create
Many data center applications use multiple ports; User Groups for Access to Whitelist Applications.
setting the Service to application-default safely
enables the applications on their standard ports.
You should not allow applications on non-standard
ports because it is often associated with evasive
behavior.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 27
© 2018 Palo Alto Networks, Inc.
STEP 5 | Allow access to applications your administrative users need.
To reduce your attack surface, Create User Groups • This rule restricts access to users in the IT_admins
for Access to Whitelist Applications. group.
Because administrators often need access to • Create a custom application for each internal
sensitive account data and remote access to other application or application that runs on non-
systems (for example RDP), you can greatly reduce standard ports so that you can enforce them on
your attack surface by only allowing access to the their default ports rather than opening additional
administrators who have a business need. ports on your network.
• If you have different user groups for different
applications, create separate rules for granular
control.
Beyond the applications you sanction for use and • Restrict access to your known users. See Create
administer for your users, there are a variety of User Groups for Access to Whitelist Applications.
applications that users may commonly use for • For visibility, Create an application filter for each
business purposes, for example to interact with type of application you want to allow.
partners, such as WebEx, Adobe online services, • Attach the best practice security profiles to ensure
or Evernote, but which you may not officially that all traffic is free of known and unknown
sanction. threats. See Create Best Practice Security Profiles
Because malware often sneaks in with legitimate for the Internet Gateway.
web-based applications, this rule allows you to
safely allow web browsing while still scanning for
threats. See Create Best Practice Security Profiles
for the Internet Gateway.
As the lines blur between work and personal • Restrict access to your known users. See Create
devices, you want to ensure that all applications User Groups for Access to Whitelist Applications.
your users access are safely enabled and free of • For visibility, create an application filter for each
threats. type of application you want to allow.
By using application filters, you can safely enable
access to personal applications when you create
28 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
Why do I need this rule? Rule Highlights
this initial rulebase. After you assess what • Scan all traffic for threats by attaching your best
applications are in use, you can use the information practice security profile group. See Create Best
to decide whether to remove the filter and allow a Practice Security Profiles for the Internet Gateway.
smaller subset of personal applications appropriate
for your acceptable use policies.
While the previous rule allowed access to personal • Use the same best practice security profiles as
applications (many of them browser-based), this the other rules, except the Best Practice Internet
rule allows general web browsing. Gateway File Blocking Profile profile, which is
General web browsing is more risk-prone than more stringent because general web browsing
other types of application traffic. You must Create traffic is more vulnerable to threats.
Best Practice Security Profiles for the Internet • Allow only known users, to prevent devices with
Gateway and attach them to this rule in order to malware or embedded devices from reaching the
safely enable web browsing. internet.
Because threats often hide in encrypted traffic, • Use application filters to allow access to general
you must Decrypt Traffic for Full Visibility and types of applications.
Threat Inspection if you want to safely enable web • Explicitly allow SSL as an application to allow users
browsing. to browse to HTTPS sites that are excluded from
decryption.
• Set the Service to service-http and service-https
to allow decrypted SSL traffic on TCP port 443.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 29
© 2018 Palo Alto Networks, Inc.
things you didn’t know were running on your network, they allow traffic that could also pose security
risks on your network. Therefore, before you can create the temporary rules, you must create rules that
explicitly blacklist applications designed to evade or bypass security or that are commonly exploited by
attackers, such as public DNS and SMTP, encrypted tunnels, remote access, and non-sanctioned file-sharing
applications.
Each of the tuning rules you will define in Step 4: Create the Temporary Tuning Rules are
designed to identify a specific gap in your initial policy. Therefore some of these rules will
need to go above the application block rules and some will need to go after.
Block nefarious applications such as • Use the Drop Action to silently drop the
encrypted tunnels and peer-to-peer file traffic without sending a signal to the client or
sharing, as well as web-based file sharing the server.
applications that are not IT sanctioned. • Enable logging for traffic matching this
Because the tuning rules that follow are rule so that you can investigate misuse of
designed to allow traffic with malicious intent applications and potential threats on your
or legitimate traffic that is not matching your network.
policy rules as expected, these rules could • Because this rule is intended to catch
also allow risky or malicious traffic into your malicious traffic, it matches to traffic from any
network. This rule prevents that by blocking user running on any port.
traffic that has no legitimate use case and that
could be used by an attacker or a negligent
user.
Block public DNS/SMTP applications to avoid • Use the Reset both client and server Action
DNS tunneling, command and control traffic, to send a TCP reset message to both the
and remote administration. client-side and server-side devices.
• Enable logging for traffic matching this rule so
that you can investigate a potential threat on
your network.
30 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
Step 4: Create the Temporary Tuning Rules
The temporary tuning rules are explicitly designed to help you monitor the initial best practice rulebase
for gaps and alert you to alarming behavior. For example, you will create temporary rules to identify traffic
that is coming from unknown user or applications running on unexpected ports. By monitoring the traffic
matching on the temporary rules you can also gain a full understanding of all of the applications in use on
your network (and prevent applications from breaking while you transition to a best practice rulebase). You
can use this information to help you fine tune your whitelist, either by adding new whitelist rules to allow
applications you weren’t aware were needed or to narrow your whitelist rules to remove application filters
and instead allow only specific applications in a particular category. When traffic is no longer hitting these
rules you can Remove the Temporary Rules.
Some of the temporary tuning rules must go above the rules to block bad applications and
some must go after to ensure that targeted traffic hits the appropriate rule, while still ensuring
that bad traffic is not allowed onto your network.
STEP 1 | Allow web-browsing and SSL on non-standard ports for known users to determine if there are
any legitimate applications running on non-standard ports.
This rule helps you determine if you have any • Unlike the whitelist rules that allow
gaps in your policy where users are unable to applications on the default port only, this
access legitimate applications because they rule allows web-browsing and SSL traffic on
are running on non-standard ports. any port so that you can find gaps in your
You must monitor all traffic that matches whitelist.
this rule. For any traffic that is legitimate, • Because this rule is intended to find gaps
you should tune the appropriate allow rule to in policy, limit it to known users on your
include the application, and creating a custom network. See Create User Groups for Access
application where appropriate. to Whitelist Applications.
• Make sure you also explicitly allow SSL as an
application here if you want to allow users
to be able to browse to HTTPS sites that
aren’t decrypted (such as financial services
and healthcare sites).
• You must add this rule above the application
block rules or no traffic will hit this rule.
STEP 2 | Allow web-browsing and SSL traffic on non-standard ports from unknown users to highlight all
unknown users regardless of port.
This rule helps you determine whether you • While the majority of the application whitelist
have gaps in your User-ID coverage. rules apply to known users or specific user
groups, this rule explicitly matches traffic
from unknown users.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 31
© 2018 Palo Alto Networks, Inc.
Why do I need this rule? Rule Highlights
This rule also helps you identify compromised • This rule must go above the application block
or embedded devices that are trying to reach rules or traffic will never hit it.
the internet. • Because it is an allow rule, you must attach
It is important to block non-standard port the best practice security profiles to scan for
usage, even for web-browsing traffic, because threats.
it is usually an evasion technique.
STEP 3 | Allow all applications on the application-default port to identify unexpected applications.
This rule provides visibility into applications • Because this rule allows all applications, you
that you weren’t aware were running on must add it after the application block rules
your network so that you can fine-tune your to prevent bad applications from running on
application whitelist. your network.
Monitor all traffic matching this rule to • If you are running PAN-OS 7.0.x or earlier,
determine whether it represents a potential to appropriately identify unexpected
threat, or whether you need to modify your applications, you must create an application
whitelist rules to allow the traffic. filterthat includes all applications, instead of
setting the rule to allow any application.
STEP 4 | Allow any application on any port to identify applications running where they shouldn’t be.
This rule helps you identify legitimate, known • Because this is a very general rule that allows
applications running on unknown ports. any application from any user on any port, it
This rule also helps you identify unknown must come at the end of your rulebase.
applications for which you need to create a • Enable logging for traffic matching this rule
custom application to add to your application so that you can investigate for misuse of
whitelist. applications and potential threats on your
Any traffic matching this rule is actionable network or identify legitimate applications
and requires that you track down the source that require a custom application.
of the traffic and ensure that you are not
allowing any unknown tcp, udp or non-syn-
tcp traffic.
32 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
Step 5: Enable Logging for Traffic that Doesn’t Match Any Rules
Traffic that does not match any of the rules you defined will match the predefined interzone-default rule at
the bottom of the rulebase and be denied. For visibility into the traffic that is not matching any of the rules
you created, enable logging on the interzone-default rule:
STEP 1 | Select the interzone-default row in the rulebase and click Override to enable editing on this
rule.
STEP 2 | Select the interzone-default rule name to open the rule for editing.
STEP 3 | On the Actions tab, select Log at Session End and click OK.
STEP 4 | Create a custom report to monitor traffic that hits this rule.
1. Select Monitor > Manage Custom Reports.
2. Add a report and give it a descriptive Name.
3. Set the Database to Traffic Summary.
4. Select the Scheduled check box.
5. Add the following to the Selected Columns list: Rule, Application, Bytes, Sessions.
6. Set the desired Time Frame, Sort By and Group By fields.
7. Define the query to match traffic hitting the interzone-default rule:
(rule eq 'interzone-default')
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 33
© 2018 Palo Alto Networks, Inc.
Monitor and Fine Tune the Policy Rulebase
A best practice security policy is iterative. It is a tool for safely enabling applications, users, and content
by classifying all traffic, across all ports, all the time. As soon as you Define the Initial Internet Gateway
Security Policy, you must begin to monitor the traffic that matches the temporary rules designed to identify
policy gaps and alarming behavior and tune your policy accordingly. By monitoring traffic hitting these
rules, you can make appropriate adjustments to your rules to either make sure all traffic is hitting your
whitelist application allow rules or assess whether particular applications should be allowed. As you tune
your rulebase, you should see less and less traffic hitting these rules. When you no longer see traffic hitting
these rules, it means that your positive enforcement whitelist rules are complete and you can Remove the
Temporary Rules.
Because new App-IDs are added in weekly content releases, you should review the impact
the changes in App-IDs have on your policy.
STEP 1 | Create custom reports that let you monitor traffic that hits the rules designed to identify policy
gaps.
1. Select Monitor > Manage Custom Reports.
2. Add a report and give it a descriptive Name that indicates the particular policy gap you are
investigating, such as Best Practice Policy Tuning.
3. Set the Database to Traffic Summary.
4. Select the Scheduled check box.
5. Add the following to the Selected Columns list: Rule, Application, Bytes, Sessions.
6. Set the desired Time Frame, Sort By and Group By fields.
7. Define the query to match traffic hitting the rules designed to find policy gaps and alarming behavior.
You can create a single report that details traffic hitting any of the rules (using the or operator), or
create individual reports to monitor each rule. Using the rule names defined in the example policy,
you would enter the corresponding queries:
• (rule eq 'Unexpected Port SSL and Web')
• (rule eq 'Unknown User SSL and Web')
• (rule eq 'Unexpected Traffic')
• (rule eq 'Unexpected Port Usage')
34 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
STEP 2 | Review the report regularly to make sure you understand why traffic is hitting each of the best
practice policy tuning rules and either update your policy to include legitimate applications
and users, or use the information in the report to assess the risk of that application usage and
implement policy reforms.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 35
© 2018 Palo Alto Networks, Inc.
Remove the Temporary Rules
After several months of monitoring your initial internet gateway best practice security policy, you should
see less and traffic hitting the temporary rules as you make adjustments to the rulebase. When you no
longer see any traffic hitting these rules, you have achieved your goal of transitioning to a fully application-
based Security policy rulebase. At this point, you can finalize your policy rulebase by removing the
temporary rules, which includes the rules you created to block bad applications and the rules you created
for tuning the rulebase.
36 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy
© 2018 Palo Alto Networks, Inc.
Maintain the Rulebase
Because applications are always evolving, your application whitelist will need to evolve also. Each time
you make a change in what applications you sanction, you must make a corresponding policy change. As
you do this, instead of just adding a new rule like you would do with a port-based policy, instead identify
and modify the rule that aligns with the business use case for the application. Because the best practice
rules leverage policy objects for simplified administration, adding support for a new application or removing
an application from your whitelist typically means modifying the corresponding application group or
application filter accordingly.
Additionally, installing new App-IDs included in a content release version can sometimes cause a change
in policy enforcement for applications with new or modified App-IDs. Therefore, before installing a new
content release, review the policy impact for new App-IDs and stage any necessary policy updates. Assess
the treatment an application receives both before and after the new content is installed. You can then
modify existing Security policy rules using the new App-IDs contained in a downloaded content release
(prior to installing the App-IDs). This enables you to simultaneously update your security policy rules and
install new content, and allows for a seamless shift in policy enforcement. Alternatively, you can choose
to disable new App-IDs when installing a new content release version; this enables protection against the
latest threats, while giving you the flexibility to enable the new App-IDs after you've had the chance to
prepare any policy changes.
STEP 1 | Before installing a new content release version, review the new App-IDs to determine if there
is policy impact.
STEP 2 | Disable new App-IDs introduced in a content release, in order to immediately benefit from
protection against the latest threats while continuing to have the flexibility to later enable
App-IDs after preparing necessary policy updates. You can disable all App-IDs introduced in
a content release, set scheduled content updates to automatically disable new App-IDs, or
disable App-IDs for specific applications.
STEP 3 | Tune security policy rules to account for App-ID changes included in a content releaseor to add
new sanctioned applications to or remove applications from your application whitelist rules.
INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security Policy 37
© 2018 Palo Alto Networks, Inc.
38 INTERNET GATEWAY BEST PRACTICE SECURITY POLICY | Best Practice Internet Gateway Security
Policy