Data Center Best Practices
Data Center Best Practices
Data Center Best Practices
Policy
Version 10.1
docs.paloaltonetworks.com
Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support.html
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
©2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve
companies.
Last Revised
March 9, 2021
Data Center Best Pracce Security Policy Version Version 10.1 2 ©2021 Palo Alto Networks, Inc.
Table of Contents
Data Center Security Policy Best Pracces Checklist...............................5
Plan Your Data Center Best Pracce Deployment.............................................................. 6
Deploy Data Center Best Pracces.........................................................................................9
Global Data Center Objects, Policies, and Acons.................................................. 9
User Data Center Traffic Policies............................................................................... 13
Internet-to-Data-Center Traffic Policies................................................................... 17
Data-Center-to-Internet Traffic Policies................................................................... 18
Intra-Data-Center Traffic Policies...............................................................................20
Data Center Security Policy Rulebase Order.......................................................... 21
Follow Post-Deployment Data Center Best Pracces......................................................23
Data Center Best Pracce Security Policy Version Version 10.1 3 ©2021 Palo Alto Networks, Inc.
Table of Contents
Data Center Best Pracce Security Policy Version Version 10.1 4 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best
Pracces Checklist
Your enterprise’s most valuable assets reside in your data center, including proprietary
source code, intellectual property, and sensive company and customer data. Your
customers and employees trust you to maintain the confidenality and integrity of
their data and expect that data to be always available, so it’s important to implement
a data center best pracce security policy that safeguards your data and prevents
successful aacks. It’s not enough to harden the network perimeter because aacks
can originate from inside the network, aacks can come from partners and contractors
whose credenals have been compromised, and because if an aacker gains a
foothold in your network, the aacker can aack from the inside of the network by
moving laterally from device to device.
If you are familiar with Palo Alto Networks plaorm, you can save me by using
this streamlined checklist to implement pre-deployment, deployment, and post-
deployment data center security policy best pracces. Each secon includes links to
detailed informaon in the full Data Center Best Pracce Security Policy document or
in the PAN-OS 10.1 Admin Guide, including how to configure policy rules and security
profiles.
5
Data Center Security Policy Best Pracces Checklist
STEP 2 | Work with stakeholders such as IT/support, security, and groups that require data center
access such as engineering, legal, finance, and HR, to develop an access strategy.
Idenfy users who need access, and the assets to which they need access. Understanding
this enables you to create user groups based on access level requirements so you can design
efficient Security policy rules by user group.
Idenfy the applicaons you want to allow (sancon) in the data center. To reduce the
aack surface, only sancon applicaons for legimate business reasons.
Data Center Best Pracce Security Policy Version Version 10.1 6 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
STEP 3 | Assess your data center to understand its current state so you can create a plan to transform
data center security to the desired future state.
Inventory the physical and virtual environment and assets, including:
Servers, routers, switches, security devices, load balancers, and other network
infrastructure.
Standard and proprietary custom applicaons and the service accounts they use to
communicate. Compare the applicaon inventory list to the list of applicaons you want
to sancon.
Focus on the applicaons you want to allow because your allow list Security
policy rules allow them and by default deny all other applicaons to reduce the
aack surface. Map applicaons to business requirements. If an applicaon
doesn’t map to a business requirement, evaluate whether you really need to
allow it.
Assess each asset to help priorize what to protect first. Ask yourself quesons such as,
“What defines and differenates our company?”, “What systems must be available for
daily operaons?”, and “If I lost this asset, what are the consequences?”
Work with applicaon, network, and enterprise architects, and with business
representaves to characterize data center traffic flows and learn about typical baseline
traffic loads and paerns so you understand normal network behavior. Use the Applicaon
Command Center widgets and traffic analysis tools to baseline traffic.
STEP 4 | Create a Data Center Segmentaon Strategy to prevent malware that gains a foothold in
your data center from moving laterally to infect other systems.
Use firewalls as segmentaon gateways to provide visibility into data center traffic and
systems so you can finely control who can use which applicaons to access which devices.
Segment and secure non-virtualized servers with physical firewalls and the virtual network
with VM-Series firewalls.
Use the firewall’s flexible segmentaon tools such as zones, dynamic address groups, App-
ID, and User-ID to design a granular segmentaon strategy that protects sensive servers
and data.
Group assets that perform similar funcons and require the same level of security in the
same segment.
Segment data center applicaons by segmenng the server ers that make up an
applicaon er (typically a service chain composed of a web server er, an applicaon
server er, and a database server er) and using the firewall to control and inspect traffic
between ers.
Consider using an SDN soluon inside the data center for an agile, virtualized infrastructure
that maximizes resource ulizaon and makes automaon and scaling easier.
STEP 5 | Plan to use best pracce methodology to inspect all data center traffic and gain complete
visibility, reduce the aack surface, and prevent known and unknown threats.
Posion physical or virtual firewalls where they can see all data center network traffic.
Take advantage of the firewall’s powerful toolset to create applicaon-based Security policy
rules ed to specific user groups and protected by Security profiles. Forward unknown
Data Center Best Pracce Security Policy Version Version 10.1 7 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
files to WildFire and deploy decrypon to prevent threats from entering the data center in
encrypted traffic.
Use GlobalProtect in internal mode as a gateway to control data center access.
Authencate users to prevent unauthorized access and configure Mul-Factor
Authencaon for access to sensive applicaons, services, and servers, especially by
contractors, partners, and other third-pares who require access to your data center.
Manage firewalls centrally with Panorama to enforce consistent policy across physical and
virtual environments and for centralized visibility.
If you have mulple data centers, reuse templates and template stacks to apply consistent
security policy across different locaons.
STEP 6 | Phase in your best pracce deployment over me; start by focusing on the most likely
threats to your business and network, and protect your most valuable assets first.
Taking into account all of the data center users, applicaons, devices, and traffic flows, and
then creang best pracce Security policy around them may seem like an overwhelming task
if you try to do everything at one me. But by protecng your most valuable assets first and
planning a phased, gradual implementaon, you can transion in a smooth and praccal way
from a hope-for-the-best Security policy to a best pracce Security policy that safely enables
applicaons, users, and content.
Data Center Best Pracce Security Policy Version Version 10.1 8 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
For Security, Authencaon, and DoS policy rules, configure log forwarding to
Panorama or external services to centralize logs for convenient viewing and analysis, with
noficaons.
STEP 2 | Configure ght data center best pracce Security profiles to prevent threats from disrupng
your data center network.
Configure the best pracce Anvirus profile by cloning the predefined profile and changing
the imap, pop3, and smtp decoder values to reset-both in the Acon and WildFire Acon
columns.
Configure the best pracce An-Spyware profile by cloning the predefined strict profile. On
the Rules tab, enable single packet capture on medium, high, and crical severity threats
for traffic you log. (For traffic you don’t log, apply a separate profile without packet capture
enabled.)
On the DNS Signatures tab, change the Acon on DNS Queries to sinkhole if the firewall
can’t see the originator of the DNS query (typically when the firewall is north of the local
DNS server) so that you can idenfy infected hosts. DNS sinkhole idenfies and tracks
potenally compromised hosts that aempt to access suspicious domains and prevents
Data Center Best Pracce Security Policy Version Version 10.1 9 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
them from accessing those domains. Enable extended packet capture on the sinkholed
traffic.
Configure the best pracce Vulnerability Protecon profile by cloning the predefined
strict profile and changing the Packet Capture seng for every rule except simple-client-
informaonal and simple-server-informaonal to single-packet. If the firewall idenfies a
large volume of vulnerability threats and that affects performance, disable packet capture
for low-severity events.
The predefined strict File Blocking profile is the best pracce profile. If supporng crical
applicaons prevents you from blocking all the file types the strict profile blocks (you can
idenfy the file types used in the data center from data filtering logs at Monitor > Logs >
Data Filtering), clone the strict profile and modify it as needed. If files don’t need to flow
in both direcons, use the Direcon seng to restrict the file type to only the required
direcon.
The predefined WildFire Analysis profile is the best pracce profile. WildFire provides the
best defense against unknown threats and advanced persistent threats (ATPs).
STEP 3 | Configure ght data center best pracce Decrypon profiles to prevent unknown traffic from
entering your data center.
Perform CRL/OCSP checks to ensure that cerficates presented during SSL decrypon are
valid.
SSL Protocol Sengs: Set the Min Version to TLSv1.2, the Max Version to Max, and
uncheck the SHA1 Authencaon Algorithm. (The weak 3DES and RC4 Encrypon
Algorithms are automacally unchecked when you select TLSv1.2.) Use TLSv1.3 for traffic
that supports TLSv1.3 (many mobile applicaons use cerficate pinning, which prevent
decrypon when using TLSv1.3, so for these applicaons, use TLSv1.2).
SSL Forward Proxy: For Server Cerficate Verificaon, block sessions with expired
cerficates, untrusted issuers, and unknown cerficate status, and restrict cerficate
extensions. For Unsupported Mode Checks, block sessions with unsupported versions,
unsupported cipher suites, and client authencaon. For Failure Checks, blocking sessions
if resources aren’t available is a tradeoff between the user experience (blocking may
negavely affect the user experience) and potenally allowing dangerous connecons.
If you have to consider this tradeoff, also consider increasing the decrypon resources
available in the deployment.
SSL Inbound Inspecon: For Unsupported Mode Checks, block sessions with unsupported
versions and unsupported ciphers. For Failure Checks, the tradeoffs are similar to SSL
Forward Proxy.
SSH Proxy: For Unsupported Mode Checks, block sessions with unsupported versions and
unsupported algorithms. For Failure Checks, the tradeoffs are similar to SSL Forward Proxy.
Apply the No Decrypon profile to traffic you choose not to decrypt because of regulaons,
compliance rules, or business reasons, except TLSv1.3 traffic (TLSv1.3 encrypts cerficate
informaon, so the firewall cannot block traffic based on cerficate informaon). Block
sessions with expired cerficates and untrusted issuers.
Data Center Best Pracce Security Policy Version Version 10.1 10 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
STEP 4 | Configure traffic blocking rules to deny traffic you know is malicious or isn’t needed for
business purposes.
Logging and monitoring block rules may reveal users and applicaons you didn’t know were
on your network and that may be legimate or may indicate an aack. The rule order in the
Security policy rulebase is crical to prevent shadowing (traffic matching an allow or block rule
before it can match the rule you intend the traffic to match). Some rules are almost the same
but enable separate reporng for standard and non-standard ports or for user applicaons and
applicaons from other sources. For each rule, configure Log at Session End on the Acons tab
and set up Log Forwarding to track and analyze rule violaons.
Block all applicaons from user zones on the applicaon-default port. Place this rule aer
the rules that allow legimate applicaon traffic from user zones to idenfy unknown or
unexpected user applicaons on standard ports.
Block all applicaons from user zones on any port to catch user traffic aempng to use
non-standard ports. Place this rule aer the preceding applicaon-default block rule to
idenfy unknown or unexpected user applicaons on non-standard ports, which may be
custom applicaons or evasive applicaons.
Block applicaons you never want in your data center, such as evasive and commonly
exploited applicaons and applicaons not required for business. Place this rule aer the
applicaon allow rules so that, for example, you allow sanconed file sharing applicaons
before the Filesharing applicaon filter blocks all other file sharing applicaons.
Block all applicaons from any zone on the applicaon-default port to idenfy unexpected
applicaons on standard ports. Rule matches may indicate potenal threats or applicaon
Data Center Best Pracce Security Policy Version Version 10.1 11 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
changes that require modifying an allow rule. Place this rule aer the applicaon allow rules
and the preceding block rule.
Block all applicaons from any zone on any port to idenfy unexpected applicaons on
non-standard ports. Don’t allow unknown-tcp, unknown-udp, or non-syn-tcp traffic. Place
this rule aer the applicaon allow rules and the preceding block rule.
Block unknown users aempng to run applicaons on any port to discover unknown
users (gaps in User-ID coverage or aackers) and idenfy compromised devices (including
embedded devices such as printers, card readers, and cameras). Place this rule aer the
applicaon allow rules and the preceding block rule.
In addion to blocking unwanted potenally malicious traffic, block Quick UDP Internet
Connecons (QUIC) protocol, unless for business reasons, you want to allow encrypted
browser traffic. Chrome and some other browsers establish sessions using QUIC instead
of TLS, but QUIC uses proprietary encrypon that the firewall can’t decrypt, so potenally
dangerous traffic may enter the network as encrypted traffic. Block both the QUIC
applicaon and UDP ports 80 and 443 to force the browser to use TLS. First create a
Service (Objects > Services) that includes UDP ports 80 and 443:
Use the Service to specify the UDP ports to block for QUIC. In the second rule, block the
QUIC applicaon so that the first two rules in your rulebase block QUIC:
STEP 5 | Install Cortex XDR Agent on all data center endpoints to protect against malware and
exploits on the endpoints.
Cortex XDR Agent protects all endpoints the same way, so the deployment process and
malware protecon policy best pracces are the same for the data center as for any other
network area.
Data Center Best Pracce Security Policy Version Version 10.1 12 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
Block access to external DNS servers at the internet gateway to prevent DNS traffic
from going out on the internet to public servers.
Allow secured, privileged access to data center management interfaces for the necessary
IT personnel. Restrict the rule to management interfaces (this example uses an address
group to idenfy the devices and a custom service to idenfy the management ports) and
the necessary applicaons, in this example, RDP, SSH, and SSL. Use a dedicated VLAN to
Data Center Best Pracce Security Policy Version Version 10.1 13 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
separate management traffic from other traffic and place management interfaces on the
same subnet.
If the same IT user group also manages switches, routers, and other data center
devices, add them to the desnaon and add their ports to the custom service so
the rule secures traffic for connecons to their management interfaces. If different
IT groups manage different data center resources, create separate Security policy
rules and corresponding Decrypon and Authencaon policy rules for each group.
Allow required access for employee user groups. These rules limit each user group’s (or
user’s) access to the necessary applicaons and servers. This example limits an engineering
user group’s access to only its development servers and applicaons.
Allow targeted, limited access to contractors, partners, customers, and other third-pares.
This example limits access for an SAP contractor group so the group can reach only the
appropriate SAP database servers, using only the appropriate applicaons.
STEP 2 | Create Authencaon policy rules for user traffic to authencate data center access.
For each user group or user for whom you create applicaon allow rules, create an analogous
authencaon rule (except the DNS allow rule because DNS occurs before users authencate
to log in). For each rule, configure Log at Session End on the Acons tab and set up Log
Forwarding to track and analyze rule violaons.
Authencate users who need specialized access. This example authencates the IT
personnel who need secure privileged access to manage data center servers from the
preceding step’s allow rule. Because compromising the credenals of a privileged user hands
Data Center Best Pracce Security Policy Version Version 10.1 14 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
an aacker the keys to your data center kingdom, require Mul-Factor Authencaon
(MFA) to protect against stolen credenals.
If the same IT user group also manages switches, routers, and other data center
devices, add them to the desnaon and add their ports to the custom service so
the rule authencates traffic for connecons to their management interfaces. If
different IT groups manage different data center resources, create separate Security
policy rules and corresponding Decrypon and Authencaon policy rules for each
group.
Authencate employees with legimate business reasons to access the data center. This
example authencates the engineering development user group from the preceding step’s
allow rule.
STEP 3 | Create Decrypon policy rules for user traffic to decrypt traffic you allow so the firewall can
see, inspect, and apply Security policy to the traffic.
For each Decrypon policy rule, apply the appropriate best pracce Decrypon profile (SSL
Inbound Inspecon, SSL Forward Proxy, SSH Proxy, or No Decrypon, including best pracce
SSL Protocol Sengs for SSL Inbound Inspecon and SSL Forward Proxy rules) to block weak
protocols and algorithms and to verify server cerficates. For each SSL Inbound Inspecon
rule, import the cerficate of the of the data center server you are protecng with decrypon.
Decrypt traffic from the previously created Security policy rule that allows IT privileged
access to management servers. The Decrypon policy rule and its associated Decrypon
Data Center Best Pracce Security Policy Version Version 10.1 15 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
profile differ depending on whether the IT group uses SSL (SSL Forward Proxy Decrypon
profile) or SSH (SSH Proxy Decrypon profile) to access management ports.
If the same IT user group also manages data center switches, routers, and other
devices, add them to the desnaon and add the server cerficates so the rule
decrypts traffic for connecons to their management interfaces. If different IT
groups manage different sets of data center resources, create separate, ght
Security policy rules and corresponding Decrypon and Authencaon policy rules
for each group.
Configure SSL Inbound Inspecon to decrypt allowed traffic from employee user groups.
This example decrypts traffic from the analogous engineering development user group allow
rule.
Configure SSL Inbound Inspecon to decrypt allowed traffic from contractors, partners,
customers, and other third-pares. This example decrypts traffic from the analogous SAP
contractor user group allow rule.
Apply a No Decrypon profile to configure server verificaon for traffic that you choose not
to decrypt because of business, regulatory, compliance, or other reasons, such as financial,
health, or government traffic. This example shows how to exclude two groups of finance
users from decrypon when they access servers in the Fin Servers address group.
Data Center Best Pracce Security Policy Version Version 10.1 16 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
Create similar rules for traffic from the internet to other server groups (if allowed) and other
applicaons. Make each rule specific to limit access to only the required applicaons and
servers.
STEP 2 | Create Decrypon policy rules for internet-to-data-centertraffic to decrypt allowed traffic.
Configure SSL Inbound Inspecon (and import the desnaon server cerficates into the
firewall) to decrypt partner, contractor, and customer traffic that Security policy rules allow for
internet-to-data-center traffic. This example shows the Decrypon policy for the preceding
Security policy rule.
Create Decrypon rules to match traffic that internet-to-data-center Security policy rules
allow.
STEP 3 | Create internet-to-data-center DoS Protecon policy rules to protect sensive servers from
Denial-of-Service (DoS) aacks by liming the number of connecons-per-second (CPS) the
firewall allows to the servers to prevent a SYN flood aack.
Aackers target the web server er because if they take it down, they prevent most legimate
access to the data center. Apply a classified DoS Protecon policy rule with a DoS Protecon
Data Center Best Pracce Security Policy Version Version 10.1 17 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
profile that limits the incoming CPS to prevent traffic spikes that can affect server performance
and availability.
Create a classified DoS Protecon profile to protect the web server er and prevent SYN
flood aacks. The CPS thresholds you set depend on the baseline peak CPS rate.
Create a DoS Protecon policy rule to specify the web servers you’re protecng and apply
the classified DoS Protecon profile to it.
To protect against SYN flood aacks from internal sources, create a separate DoS Protecon
policy rule that specifies your internal zones as the source zone instead of L3-External.
Separate rules for external and internal aack sources provides separate reporng that
makes invesgang aack aempts easier.
In addion, configure Packet Buffer Protecon for each data center zone to protect the
firewall from single-session DoS aacks that can cause legimate traffic to drop.
Data Center Best Pracce Security Policy Version Version 10.1 18 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
addion, use the File Blocking profile’s Direcon control to block outbound update files so you
only allow downloading for soware update files.
For each rule, apply best pracce Security profiles and configure Log at Session End on the
Acons tab.
Work with engineering and other groups that update soware to log and analyze web
browsing sessions to define the URLs to which developers connect for updates.
These examples allow engineering servers to communicate with CentOS update servers
(CentOS-Update-Servers custom URL Category) using the yum applicaon and with
Microso update servers (Win-Update-Servers custom URL Category) using the ms-update
applicaon (you must also allow ssl because ms-update has a dependency on SSL).
Allow access to DNS and NTP updates (NTP DNS Update Servers custom URL Category).
STEP 2 | Create data-center-to-internet Decrypon policy rules to decrypt the traffic allowed in the
preceding Security policy rules.
A compromised update server could download malware and propagate it through the soware
update process, so decrypng traffic to gain visibility is crical. Because only service accounts
Data Center Best Pracce Security Policy Version Version 10.1 19 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
iniate update traffic and update traffic has no personal or sensive informaon, there are no
privacy issues.
Don’t decrypt traffic to OCSP cerficate revocaon servers because the traffic usually
uses HTTP, so it’s not encrypted. In addion, SSL Forward Proxy decrypon may
break the update process because the firewall acts as a proxy and replaces the client
cerficate with a proxy cerficate, which the OCSP responder may not accept as valid.
Decrypt traffic between data center and update servers. These two examples decrypt the
CentOS and Windows update traffic allowed by the analogous Security policy rules in the
preceding step.
Decrypt traffic between data center servers and NTP and DNS update servers. This example
decrypts the update traffic allowed by the analogous Security policy rule in the preceding
step.
Data Center Best Pracce Security Policy Version Version 10.1 20 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
applicaons to prevent misuse. For each rule, configure Log at Session End on the Acons tab
and set up Log Forwarding to track and analyze rule violaons.
This example configures rules that allow traffic between applicaon server ers for two
proprietary internal finance applicaons for which we created custom applicaons: Billing-App
and Payment-App.
Allow finance applicaon traffic between the web server er and the applicaon server er.
Allow finance applicaon traffic between the applicaon server er and the database server
er.
STEP 2 | Create intra-data-center Decrypon policy rules to decrypt the traffic allowed in the
preceding Security policy rules.
The data center is a perfect place for aackers to hide because many people think the data
center is safe and don’t look for intruders. But the same basic tenet that’s true in the rest of
the network holds true in the data center: you can’t protect yourself against what you can’t
see. Decrypt encrypted data center traffic so that the firewall can inspect traffic, control access,
make threats visible, and protect your valuable assets.
Not all data center traffic is encrypted. Don’t spend resources to decrypt unencrypted
(cleartext) traffic.
• This rule decrypts traffic flowing between the web server er and the applicaon server er
for the Finance department’s billing servers.
• This rule decrypts the traffic flowing between the applicaon server er and the database
server er for the Finance department’s billing servers.
Data Center Best Pracce Security Policy Version Version 10.1 21 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
Order the Data Center Security policy rulebase shows the full rulebase from the previous
examples (allow and block rules) in the correct order and explains each rule’s placement.
Data Center Best Pracce Security Policy Version Version 10.1 22 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
STEP 3 | Create custom reports to monitor the block rules, which protect against potenal aacks and
also idenfy policy gaps and unexpected behaviors so you can tune the rulebase.
STEP 4 | Create a custom report to log intra-data-center traffic that matches the predefined intrazone-
default allow rule at the boom of the rulebase, which allows all traffic within the same zone
by default.
STEP 5 | Enable logging on and create a custom report for data center traffic that matches the
predefined interzone-default rule at the boom of the rulebase, which denies all traffic
between zones by default.
STEP 7 | Periodically compare the baseline measurements you took during the planning stage to the
current measurements to evaluate progress, idenfy changes, and find areas of improvement.
At the same me, revisit your goal for the ideal future state of the network to assess progress.
If you manage firewalls with Panorama, monitor firewall health to compare devices to their
baseline performance and to each other to idenfy deviaons from normal behavior.
STEP 8 | Evolve applicaon allow rules over me because applicaons evolve, user requirements
change, and content updates modify exisng App-IDs and introduce new App-IDs.
Maintain the data center best pracce rulebase and review new and modified App-IDs before
you install a new content release so you can modify the rulebase if the changes impact policy.
STEP 9 | Use Palo Alto Networks assessment and review tools to assess your current prevenon
posture and your adopon of best pracces.
STEP 10 | Refer to the full Data Center Best Pracce Security Policy for details about each planning,
deployment, and post-deployment step and how they benefit you.
Data Center Best Pracce Security Policy Version Version 10.1 23 ©2021 Palo Alto Networks, Inc.
Data Center Security Policy Best Pracces Checklist
Data Center Best Pracce Security Policy Version Version 10.1 24 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security
Policy
Your enterprise’s most valuable assets reside in your data center, including proprietary
source code, intellectual property, and sensive company and customer data. Your
customers and employees trust you to maintain the confidenality of their sensive
data and expect your data center to be always available because they expect their
data to be always available. It’s important for the integrity and success of your
business to implement a data center best pracce security policy that safeguards your
data and prevents successful aacks.
The following methods and recommendaons provide a blueprint for planning,
designing, and implemenng a data center best pracce security policy in a phased,
priorized manner. Creang a data center best pracce security policy may be a
daunng task if you try to implement every protecon on every area of your network
at one me. However, if you evaluate what is most important to protect and begin
implemenng your data center best pracce security policy by defending your most
valuable assets first, you can transion gradually to a security policy that allows you to
safely enable applicaons, users, and content without taking undue risks.
The Data Center Security Policy Best Pracces Checklist provides an overview of pre-deployment,
deployment, and post-deployment best pracces, and a way to implement best pracces more
quickly if you don’t need detailed explanaons.
> What Is a Data Center Best Pracce > Create Data Center Traffic Block
Security Policy? Rules
> Why Do I Need a Data Center Best > Define the Inial User-to-Data-
Pracce Security Policy? Center Traffic Security Policy
> Data Center Best Pracce > Define the Inial Internet-to-Data-
Methodology Center Traffic Security Policy
> How Do I Deploy a Data Center Best > Define the Inial Data-Center-to-
Pracce Security Policy? Internet Traffic Security Policy
> How to Assess Your Data Center > Define the Inial Intra-Data-Center
> How to Decrypt Data Center Traffic Traffic Security Policy
> Create a Data Center Segmentaon > Order the Data Center Security
Strategy Policy Rulebase
> How to Create Data Center Best > Log and Monitor Data Center Traffic
Pracce Security Profiles > Maintain the Data Center Best
> Use Cortex XDR Agent to Protect Pracce Rulebase
Data Center Endpoints > Use Palo Alto Networks Assessment
and Review Tools
25
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 26 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
If an aacker steals the legimate access credenals of a partner, the aacker can access your
data center disguised as a legimate user. Then, from the “so, chewy interior” of your network,
the aacker can use your internal servers and endpoints to move laterally through the network
and compromise crical systems. Once an outside adversary breaches the network, you rely on
network and user segmentaon and layered defenses inside the network to protect your data, the
same as when an aack originates from the inside.
Developing a best pracce security policy helps protect your data center from aacks regardless
of origin, in a staged and priorized manner, securing the most valuable assets first and then
Data Center Best Pracce Security Policy Version Version 10.1 27 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 28 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Inspect All Seeing network traffic enables you to idenfy the presence of aackers.
Traffic to Gain Inspect traffic to see the users, applicaons, and content that flow into,
Complete through, and out of the data center:
Visibility
Deploy next-generaon firewalls in posions where they can inspect all
of the network traffic. Don’t allow traffic to flow into the data center or
between network segments without posioning a firewall to examine the
traffic.
Enable SSL decrypon on all traffic entering or exing the data center,
unless regulaons or compliance rules require you to except categories
such as health, finance, government, or military. You must see threats to
protect your network against them. Because more than 50 percent of a
typical network’s traffic is encrypted and that percentage is rising, if you
don’t decrypt traffic, you can’t completely protect your network.
Use App-ID to idenfy applicaons, and create custom applicaons for
proprietary applicaons, so that the firewall can idenfy and categorize
those applicaons appropriately and apply the correct security policy rule.
This is especially important for older legacy applicaons that are otherwise
categorized as “web-browsing” or “unknown-tcp” instead of being correctly
categorized.
If you have exisng Applicaon Override policies that you created solely
to define custom session meouts for a set a of ports, convert the exisng
Applicaon Override policies to applicaon-based policies by configuring
service-based session meouts to maintain the custom meout for each
applicaon and then migrang the rule the an applicaon-based rule.
Applicaon Override policies are port-based. When you use Applicaon
Override policies to maintain custom session meouts for a set of ports,
you lose applicaon visibility into those flows, so you neither know nor
control which applicaons use the ports. Service-based session meouts
achieve custom meouts while also maintaining applicaon visibility.
Enable User-ID on all traffic entering or exing the data center to map
applicaon traffic and associated threats in its content to users and
services. You enable User-ID on network segments (zones), so you must
segment the network to enable User-ID. Segmenng the network is a best
pracce for gaining visibility and reducing the aack surface.
Deploy GlobalProtect in internal mode as a gateway to control access to
the data center. GlobalProtect checks user informaon to verify users, and
host informaon to verify that host security is up-to-date, by comparing
the host informaon to HIP objects and profiles that you define. This
Data Center Best Pracce Security Policy Version Version 10.1 29 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Reduce the The aack surface is all of the points of network interacon, both hardware
Aack Surface and soware, including applicaons, content, and users, along with servers,
switches, routers, and other physical and virtual equipment. Reducing the
aack surface leaves fewer vulnerabilies for aackers to target. The more
you reduce the aack surface, the harder it is to breach the network.
Assess your data center so that you know the applicaons, content, and
users on the network.
Use posive security enforcement by creang applicaon-based security
policy rules that allow only applicaons with a legimate business use
on the network and rules to block all high-risk applicaons that have no
legimate use case.
Use the informaon from assessing the environment to create a strategy
that segments the network into zones based on business requirements,
common funconality, and global policy requirements, so that the
resources in each zone need the same security level. Inside the data center,
segment applicaons ers such as databases, web servers, applicaon
servers, development servers, and producon servers into zones.
Segmentaon enables you to see traffic between different applicaon ers
because the traffic must traverse a firewall when it flows between zones.
Granular segmentaon enables you to construct security policy rules
that focus on the business requirements of each zone and provide the
appropriate protecon to each segment. Segmentaon also helps stop
lateral movement of malware into and within the data center because the
combinaon of App-ID, Content-ID (threat prevenon), and User-ID enable
you to idenfy the traffic that should be allowed access and deny the rest.
Deploy GlobalProtect in internal mode as a gateway to control access to
the data center.
To further reduce the aack surface, on security policy rules that allow
applicaon traffic, apply File Blocking profiles to block malicious and
risky file types. Prevent credenal the breaches by using the firewall’s
authencaon policy to enable Mul-Factor Authencaon, so that even
if aackers succeed in stealing credenals, they won’t succeed in accessing
the data center network.
Data Center Best Pracce Security Policy Version Version 10.1 30 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Prevent Security profiles aached to security policy allow rules scan traffic for known
Known threats such as viruses, spyware, applicaon-layer vulnerability exploits,
Threats malicious files, and more. The firewall applies an acon such as allow, alert,
drop, block IP, or a connecon reset to those threats based on the security
profile configuraon.
Follow content update best pracces and install content updates as soon as
possible aer downloading them to update the security profiles and apply
the latest protecons to your data center. Security profiles are fundamental
protecons that are easy to apply to security policy rules.
External dynamic lists (EDLs) also protect against known threats. EDLs
import lists of malicious and risky IP addresses, URLs, or domains into the
firewall to prevent known threats. EDLs come from trusted third pares, from
predefined EDLs on the firewall, and from custom EDLs that you create. EDLs
are updated dynamically on the firewall without requiring a commit.
Prevenng known threats is another reason that enabling decrypon is
important. If you can’t see the threat, it doesn’t maer if you know about it,
you may sll be vicmized because you can’t see it.
Prevent How do you detect a threat nobody has seen before? The answer is to
Unknown forward all unknown files to WildFire for analysis.
Threats
WildFire idenfies unknown or targeted malware. The first me a firewall
detects an unknown file, the firewall forwards the file to its internal
desnaon and also to the WildFire cloud for analysis. WildFire analyzes
the file (or a link in an email) and returns a verdict to the firewall in as lile
as five minutes. WildFire also includes a signature that idenfies the file,
transforming the unknown file to a known file. If the file contained a threat,
the threat is now known. If the file is malicious, the next me the file arrives
at the firewall, the firewall blocks it.
You can check verdicts in the WildFire submission logs (Monitor > Logs
> WildFire Submissions). Set up WildFire appliance content updates to
download and install automacally every minute so that you always have the
most recent support. For example, support for Linux and SMB files were first
delivered in WildFire appliance content updates.
In addion:
Manage firewalls centrally with Panorama to consistently enforce policy across physical and
virtual environments and for centralized visibility.
Use posive security enforcement to allow traffic you want on your data center network and
deny the rest.
Create a standardized, scalable design that you can replicate and apply consistently across data
centers.
Get buy-in from execuves, IT and data center administrators, users, and other affected pares.
Data Center Best Pracce Security Policy Version Version 10.1 31 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Phase in next-generaon security by focusing on the most likely threats to your parcular
business and network, and then determine the most important assets to protect and protect them
first. Ask the following quesons to help priorize the assets to protect first:
1. What makes our company what it is? What properes define and differenate your company,
and what assets map to those properes? Assets that relate to your company’s proprietary
compeve advantages should be high on the protecon priority ladder. For example, a
soware development company would priorize its source code, or a pharmaceucal company
would priorize its drug formulas.
2. What keeps the enterprise in business? Which systems and applicaons do you need to support
the daily operaon of the company? For example, your acve directory (AD) service provides
employee access to applicaons and workstaons. Compromising your AD service gives an
aacker access to all accounts within your enterprise, which gives the aacker full access
your network. Other examples include crical IT infrastructure such as management tools and
authencaon servers, and servers that house the most crical data for business operaons.
3. If I lost this asset, what would happen? The worse the consequences of losing an asset, the
higher the priority to protect that asset. For example, the user experience may differenate
a service company, so protecng that experience is high priority. Proprietary processes and
equipment may differenate a manufacturing company, so protecng the intellectual property
and proprietary designs is high priority. Create a priority list to define what to protect first.
Define the ideal future state of your data center network and work in phases to achieve it.
Periodically revisit your definion to account for changes in your business, new regulatory and
legal requirements, and new security requirements.
Data Center Best Pracce Security Policy Version Version 10.1 32 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 33 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
pracce Security policy prevents aackers from moving laterally through the data center and
compromising more systems or exfiltrang data.
Log and Monitor Data Center Traffic— Logging and monitoring allowed and blocked traffic
provides informaon at all stages of the transion to and maintenance of your data center best
pracce security policy. It reveals the applicaons, users, and traffic paerns on your network,
including those you may not have known were there. This informaon helps you invesgate
potenal security issues.
Maintain the Data Center Best Pracce Rulebase—Connually monitor your applicaon
allow list so that you can adapt your rules to accommodate new sanconed applicaons and
determine how new or modified App-IDs impact your policy.
Order the Data Center Security Policy Rulebase summarizes the Security policy rulebase.
Data Center Best Pracce Security Policy Version Version 10.1 34 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Your inial applicaon inventory doesn’t need to idenfy every applicaon because
by monitoring the block rules that you configure for the data center best pracce
security rulebase, you’ll discover the applicaons you haven’t idenfied. Focus
on inventorying the applicaons and applicaon types that you want to allow.
When you finish developing the applicaon allow list, all applicaons that you don’t
explicitly allow are denied.
Data Center Best Pracce Security Policy Version Version 10.1 35 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
applicaons, and reuse an applicaon group in mulple security policy rules. For example,
an applicaon group designed for data center storage applicaons may include applicaons
such as crashplan, ms-ds-smb, and NFS.
• Inventory the service accounts that applicaons use to communicate between servers and
within servers inside the data center. A best pracce is to use one service account for each
funcon instead of using one service account for mulple funcons. This limits access to
the service account and makes it easier to understand how the service account was used if a
system is compromised. Another best pracce is to idenfy service accounts that are hard-
coded into the applicaon so that you can write IPS signatures against them and monitor
the use of the accounts.
2. Characterize data center traffic—Characterize and map data center traffic to understand how
data flows across your network and between users and resources. Engage a cross-funconal
team that includes applicaon architects, network architects, enterprise architects, and
business representaves. Characterizing the traffic flows informs you about network traffic
sources and desnaons, typical traffic paerns and loads, and helps you understand the
traffic on your network and priorize the most important traffic to protect. Use Applicaon
Command Center widgets, Panorama’s firewall health monitoring features, and other methods
to understand the normal (baseline) traffic paerns, which helps you understand abnormal
traffic paerns that may indicate an aack.
3. Assess data center segmentaon—Segment data center server ers so that communicaon
between different server ers must pass through the next-generaon firewall to be decrypted,
examined, and protected by the best pracce security policy, and so that communicaon from
the user populaon or the internet passes through a next-generaon firewall. Outside the
data center, understand which zones can communicate with each data center zone, and then
determine which zones should be allowed to communicate with each data center zone.
4. Assess user populaon segmentaon and determine who should have access to the data
center—Map users to groups to segment the user populaon so that you can more easily
control access to sensive systems. For example, users in the Product Management group
should not be able to access finance or human resource systems. In Acve Directory (or
whatever system you use), create granular groups of users based on the access level the
users require for legimate business purposes so that you can control access to systems and
applicaons. This includes different employee groups as well as different contractor, partner,
customer, and vendor groups, grouped by the level of access needed.
Reduce the aack surface by creang user groups based on access requirements rather than
just funconality, and grant only the appropriate level of applicaon access to each group.
Within a funconal area such as Markeng or Contractors, create mulple user groups mapped
to applicaon access requirements.
5. Connuously monitor the data center network—Log and Monitor Data Center Traffic to reveal
gaps in the data center best pracce security policy, to expose unusual traffic paerns or
unexpected access aempts that may indicate an aack, and to diagnose applicaon issues.
A helpful method for evaluang assets is grouping assets. Idenfy your most valuable assets that
need to be protected first, and idenfy the assets that you can iterate on aer protecng those
assets. Priorize the order in which to protect the assets in each category. Organize assets in the
way that makes the most sense for your parcular business. The following table shows you some
possibilies, but it’s not comprehensive. Also consider legal compliance requirements to protect
data such as passwords, personal informaon, and financial informaon when priorizing which
assets to protect first.
Data Center Best Pracce Security Policy Version Version 10.1 36 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Asset priority is unique to each business. For a service company, the user experience may
differenate the business from other businesses, so the most valuable assets may be assets that
ensure the best user experience. For a manufacturing company, the most valuable assets may be
proprietary processes and equipment designs. Considering the consequences of losing an asset is
a good way to figure out which assets to protect first.
Data Center Best Pracce Security Policy Version Version 10.1 37 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 38 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Decrypng traffic consumes firewall resources. The amount of traffic to decrypt varies
with each data center. When sizing the firewall deployment to maintain acceptable
performance while supporng decrypon, take into account the amount of traffic you
expect to decrypt (some applicaons must be decrypted while other applicaons aren’t
encrypted and don’t need to be decrypted), the decrypon cipher (stronger, more complex
ciphers require more processing power to decrypt), the size of the keys (larger keys
consume more decrypon resources), the type of key exchange (for example, RSA key
exchanges consume more processing resources than PFS keys), and the capacity of the
firewalls. Work with your Palo Alto Networks sales team and representaves to size the
firewall deployment appropriately for your parcular network so that you can decrypt
traffic and expose threats.
Companies with businesses such as banking that require extremely strong security for their
private keys can use a third-party hardware security module (HSM) to safeguard and manage the
company’s private key instead of storing it on the firewall.
• Create the Data Center Best Pracce Decrypon Profiles
• Exclude Unsuitable Traffic from Data Center Decrypon
Data Center Best Pracce Security Policy Version Version 10.1 39 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
STEP 2 | Configure the SSL Decrypon > SSL Protocol Sengs to block vulnerable SSL/TLS versions
such as TLSv1.0, TLSv1.1, and SSLv3, and to avoid weak encrypon algorithms such as RC4
and 3DES, and weak authencaon algorithms such as MD5 and SHA1.
SSL Protocol Sengs apply to all decrypted traffic.
Set the protocol Min Version to TLSv1.2 and the Max Version to Max to block weak protocols.
Use the strongest TLS protocol that you can. Create separate Decrypon policies and profiles
to maximize security. For example, if legacy sites you need for business purposes only support
weaker protocols, create a separate Decrypon profile to allow the weaker protocol and apply
it in a Decrypon policy only to sites that don’t support at least TLSv1.2. This also applies to
necessary business sites that don’t support strong algorithms and for different URL Categories
to fine tune security vs. performance.
If the site doesn’t house a legimate business applicaon, don’t weaken your security posture
to support the site—weak protocols and ciphers contain known vulnerabilies that aackers
can exploit. If the site belongs to a category of sites that you don’t need for business purposes,
use URL Filtering to block access to the enre category. Don’t support weak protocols or weak
Data Center Best Pracce Security Policy Version Version 10.1 40 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Many mobile applicaons use pinned cerficates. Because TLSv1.3 encrypts cerficate
informaon, the firewall can’t automacally add these mobile applicaons to the SSL
Decrypon Exclusion List. For these applicaons, ensure that the Decrypon profile
Max Version is set to TLSv1.2 or apply a No Decrypon policy to the traffic.
Data Center Best Pracce Security Policy Version Version 10.1 41 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
STEP 3 | Configure the SSL Decrypon > SSL Forward Proxy sengs for outbound traffic to block
excepons during TLS negoaon and block sessions that can’t be decrypted.
In some cases, the best pracce sengs depend on your company’s security compliance rules.
Apply the SSL Forward Proxy Decrypon profile to security policy rules that control outbound
traffic.
Block excepons during TLS negoaon and block sessions that can’t be decrypted.
• Server Cerficate Verificaon—Whether to check the Block sessions on cerficate status
check meout box depends on your company’s security compliance stance because
it’s a tradeoff between ghter security and a beer user experience. Cerficate status
verificaon examines the Cerficate Revocaon List (CRL) on a revocaon server or uses
Online Cerficate Status Protocol (OCSP) to find out if the issuing CA has revoked the
cerficate and the cerficate should not be trusted. However, revocaon servers can be
slow to respond, which can cause the session to meout and the firewall to block the
session even though the cerficate may be valid. If you Block sessions on cerficate status
check meout and the revocaon server is slow to respond, you can use Device > Setup
Data Center Best Pracce Security Policy Version Version 10.1 42 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
> Session > Decrypon Sengs and click Cerficate Revocaon Checking to change the
default meout value of five seconds to another value.
Enable both CRL and OCSP cerficate revocaon checking because server cerficates can
contain the CRL URL in the CRL Distribuon Point (CDP) extension or the OCSP URL in the
Authority Informaon Access (AIA) cerficate extension.
Although the best pracce is to use a proper cerficate, some cerficates leave the Subject
Alternate Name (SAN) field blank, which can cause firewalls to reject those cerficates.
Check Append cerficate’s CN value to SAN extension to automacally copy the cerficate
number to the SAN field if the SAN field is blank, so that if you do business with sites that
don’t populate the cerficate’s SAN field, you can accept their cerficates. Otherwise, the
sites need to regenerate their cerficates to conform to proper pracce and populate the
SAN field.
Block all other server cerficate verificaon excepons.
• Unsupported Mode Checks—If you don’t block sessions with unsupported versions and
unsupported cipher suites, then users receive a warning message that they can click through
to reach the risky website. The reason you configure ght SSL Protocol Sengs is to block
and protect you from servers that use these weak (risky) protocol versions and algorithms.
In addion, blocking sessions with unsupported mode checks protects you from malicious
backdoors and other threats that use custom and non-standard encrypon to obfuscate
their acvies.
Block sessions with client authencaon enables you to choose whether to allow or block
sessions that use client authencaon. Although server authencaon can be the only
authencaon used to establish a session, some sites use mutual authencaon, where
both the server and the client authencate to establish a session. Client authencaon
using an X.509 Digital Cerficate is similar to server authencaon in that both methods
use a digital cerficate issued by a trusted Cerficate Authority to authencate a session.
The client cerficate acts as a digital idenfier for the client, resides on the client device,
and can’t be ported to other devices. However, client authencaon prevents the
firewall from decrypng the session because the firewall needs both the client and server
Data Center Best Pracce Security Policy Version Version 10.1 43 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
cerficates to perform bi-direconal decrypon, but the firewall only knows the server
cerficate. This breaks decrypon for client authencaon sessions.
If you don’t enable Block sessions with client authencaon, when the firewall aempts to
decrypt a session that uses client authencaon, the firewall allows the session and adds
an entry in its local decrypt exclude cache that contains the server URL/IP address, the
applicaon, and the Decrypon profile. Entries remain in the cache for 12 hours and then
age out. If the same user or a different user aempts to access the serer within 12 hours
using client authencaon, the firewall matches the session to the decrypt exclude cache
entry, does not aempt to decrypt the traffic, and allows the encrypted session.
If the exclude cache becomes full, the firewall purges the oldest entries as new entries
arrive. If you change the Decrypon policy or profile, the firewall flushes the exclude cache
because changing the policy or profile can change the classificaon outcome of the session.
If you enable Block sessions with client authencaon, the firewall blocks sessions that
use client authencaon, with the excepon of sessions from sites on the SSL Decrypon
Exclusion list (Device > Cerficate Management > SSL Decrypon Exclusion).
You may need to allow traffic on your network from other sites that use client
authencaon in addion to the Predefined sites on the SSL Decrypon Exclusion list.
Create a Decrypon profile that allows sessions with client authencaon. Add it to a
Decrypon policy rule that applies only to the server(s) that house the applicaon. To
increase security even more, you can require Mul-Factor Authencaon to complete the
user login process.
For all other traffic, apply the Decrypon profile that blocks sessions with client
authencaon.
• Failure Checks—If you don’t Block sessions if resources not available, the risk is that a
lack of processing resources may allow potenally dangerous connecons. If you block
sessions for which resources aren’t available, it may affect the user experience. Whether to
implement failure checks depends on your company’s security compliance stance and the
importance to your business of the user experience, weighed against ghter security.
If you use a Hardware Security Module (HSM) to store your private keys, whether you check
Block sessions if HSM not available depends on your compliance rules about where the
private key must come from and how you want to handle encrypted traffic if the HSM isn’t
available. For example, if your company mandates the use of an HSM for private key signing,
then block sessions if the HSM isn’t available. However, if your company is less strict about
this, then you can consider not blocking sessions if the HSM isn’t available. (If the HSM is
down, the firewall can process decrypon for sites for which it has cached the response
from the HSM, but not for other sites.) The best pracce in this case depends on your
company’s policies. If the HSM is crical to your business, run the HSM in a high-availability
(HA) pair (PAN-OS 8.0 supports two members in an HSM HA pair).
• Block downgrade on no resource—Prevents the firewall from downgrading TLSv1.3 to
TLSv1.2 if the firewall has no available TLSv1.3 processing resources. If you block the
downgrade, then when the firewall runs out of TLSv1.3 resources, it drops traffic that uses
TLSv1.3 instead of downgrading it to TLSv1.2. If you don’t block downgrade, then when
the firewall runs out of TLSv1.3 resources, it downgrades to TLSv1.2. However, blocking
downgrade when resources aren’t available may affect the user experience by making
sites that users normally can reach temporarily unreachable. Whether to implement this
failure check depends on your company’s security compliance stance and the importance
Data Center Best Pracce Security Policy Version Version 10.1 44 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
of the user experience, weighed against ghter security. You may want to create a separate
Decrypon policy and profile to govern decrypon for sensive traffic for which you don’t
want to downgrade the TLS version.
STEP 4 | Configure the SSL Decrypon > SSL Inbound Inspecon sengs to inspect traffic from an
external client to your internal servers and block suspicious sessions.
Apply the SSL Inbound Inspecon Decrypon profile to security policy rules that control
inbound traffic.
• Unsupported Mode Checks—The firewall can’t decrypt session versions and ciphers that the
firewall doesn’t support. To prevent aackers from using unsupported versions and ciphers
to sneak onto the network, block session versions and cipher suites that the firewall doesn’t
support. In addion, blocking sessions with unsupported mode checks protects you from
malicious backdoors and other threats that use custom and non-standard encrypon to
obscure their acvies.
On the server, enable only the ciphers that you support on the firewall. Ensuring this
compability makes the negoaon between the client and the server smoother.
• Failure Checks—If you don’t Block sessions if resources not available, the risk is that a
lack of processing resources may allow potenally dangerous connecons. If you block
sessions for which resources aren’t available, it may affect the user experience. Whether to
implement failure checks depends on your company’s security compliance stance and the
importance to your business of the user experience, weighed against ghter security.
If you use a Hardware Security Module (HSM) to store your private keys, whether you check
Block sessions if HSM not available depends on your compliance rules about where the
private key must come from and how you want to handle encrypted traffic if the HSM isn’t
available. For example, if your company mandates the use of an HSM for private key signing,
then block sessions if the HSM isn’t available. However, if your company is less strict about
this, then you can consider not blocking sessions if the HSM isn’t available. (If the HSM is
down, the firewall can process decrypon for sites for which it has cached the response
from the HSM, but not for other sites.) The best pracce in this case depends on your
Data Center Best Pracce Security Policy Version Version 10.1 45 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
company’s policies. If the HSM is crical to your business, run the HSM in a high-availability
(HA) pair (PAN-OS 8.0 supports two members in an HSM HA pair).
• Block downgrade on no resource—Prevents the firewall from downgrading TLSv1.3 to
TLSv1.2 if the firewall has no available TLSv1.3 processing resources. If you block the
downgrade, then when the firewall runs out of TLSv1.3 resources, it drops traffic that uses
TLSv1.3 instead of downgrading it to TLSv1.2. If you don’t block downgrade, then when
the firewall runs out of TLSv1.3 resources, it downgrades to TLSv1.2. However, blocking
downgrade when resources aren’t available may affect the user experience by making
sites that users normally can reach temporarily unreachable. Whether to implement this
failure check depends on your company’s security compliance stance and the importance
of the user experience, weighed against ghter security. You may want to create a separate
Decrypon policy and profile to govern decrypon for sensive traffic for which you don’t
want to downgrade the TLS version.
STEP 5 | For SSH traffic, configure SSH Proxy Decrypon profile sengs.
SSH Decrypon allows normally routed SSH traffic and denies SSH tunneling (SSH port
forwarding) traffic, but doesn’t perform content or threat inspecon on the SSH traffic. SSH
tunneling sessions can tunnel X11 Windows packets and TCP packets. One SSH connecon
may contain mulple channels. When you apply an SSH Decrypon profile to traffic, for each
channel in the connecon, the firewall examines the App-ID of the traffic and idenfies the
channel type. The channel type can be:
• session
• X11
• forwarded-tcpip
• direct-tcpip
When the channel type is session, the firewall idenfies the traffic as allowed SSH traffic such
as SFTP or SCP. When the channel type is X11, forwarded-tcpip, or direct-tcpip, the firewall
idenfies the traffic as SSH tunneling traffic and blocks it.
For most user groups, you probably won’t allow SSH traffic in the data center. SSH is usually
used for remote access to servers, which is not a capability you want most users to have
because it places your data center servers at greater risk, for access to Linux servers, and for
file transfers. You can’t decrypt SSH traffic, so anyone who uses SSH to access data center
Data Center Best Pracce Security Policy Version Version 10.1 46 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
resources must be trusted—and even so, all of the threat profiles should be aached to any rule
that allows SSH access to scan for malware, viruses, spyware, etc.
An example use case for SSH is IT personnel who manage and maintain data center servers and
use SSH for remote access.
• Unsupported Mode Checks—The firewall can’t decrypt session versions and ciphers that
the firewall doesn’t support and unsupported versions and ciphers may be vulnerable. To
prevent aackers from using unsupported versions and ciphers to sneak onto the network,
block session versions and cipher suites that the firewall doesn’t support. In addion,
blocking sessions with unsupported mode checks protects you from malicious backdoors
and other threats that use custom and non-standard encrypon to obscure their acvies.
• Failure Checks—If you don’t Block sessions if resources not available, the risk is that a
lack of processing resources may allow potenally dangerous connecons. If you block
sessions for which resources aren’t available, it may affect the user experience. Whether to
implement failure checks depends on your company’s security compliance stance and the
importance to your business of the user experience, weighed against ghter security.
STEP 6 | For traffic that you choose not to decrypt, configure the No Decrypon sengs to block
encrypted sessions desned for sites with expired cerficates or untrusted issuers.
Apply the No Decrypon profile only to traffic that you choose not to decrypt because of
regulaons or compliance rules, not to traffic that can’t be decrypted because of technical
Data Center Best Pracce Security Policy Version Version 10.1 47 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
reasons, such as a pinned cerficate (add that traffic to the SSL Decrypon Exclusion List). The
best pracce is to decrypt as much data center traffic as possible.
Do not aach a No Decrypon profile to Decrypon policies for TLSv1.3 traffic that
you don’t decrypt. Unlike previous versions, TLSv1.3 encrypts cerficate informaon,
so the firewall has no visibility into cerficate data and therefore cannot block sessions
with expired cerficates or untrusted issuers, so the profile has no effect. (The firewall
can perform cerficate checks with TLSv1.2 and earlier because those protocols do not
encrypt cerficate informaon and you should apply a No Decrypon profile to their
traffic.) However, you should create a Decrypon policy for TLSv1.3 traffic that you
don’t decrypt because the firewall doesn’t log undecrypted traffic unless a Decrypon
policy controls that traffic.
Data Center Best Pracce Security Policy Version Version 10.1 48 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
If the technical reason for excluding a site from decrypon is an incomplete cerficate
chain, you can use the informaon in the Decrypon log to repair the incomplete
cerficate chain so that you can allow, decrypt, and inspect the traffic.
You may choose not to decrypt traffic for reasons such as regulaons and legal compliance.
For example, the European Union (EU) General Data Protecon Regulaon (GDPR) will require
strong protecon of all personal data for all individuals. The GDPR affects all companies, including
foreign companies, that collect or process the personal data of EU residents. Different regulaons
and compliance rules may mean that you treat the same data differently in different countries
or regions. Businesses usually can decrypt personal informaon in their corporate data centers
because the business owns the informaon. The best pracce is to decrypt as much traffic as
possible so that you can see it and apply security protecon to it.
For traffic you choose not to decrypt, make sure it really is traffic you don’t want to decrypt,
and then create a policy-based exclusion that specifies the applicaon, user group, source and
desnaon, URL category, and/or service to limit each exclusion as much as possible. The more
specific the decrypon exclusion, the beer, so that you don’t inadvertently exclude more traffic
than necessary from decrypon.
Data Center Best Pracce Security Policy Version Version 10.1 49 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 50 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
different internal company departments such as Markeng, Engineering, and Human Resources,
and to segment customer resources and customer-hosted applicaons.
Consider using zone protecon profiles to protect zones against floods, reconnaissance
acvies (port scans and host sweeps), Layer 3 packet-based aacks, and non-IP protocol
(Layer 2) packet-based aacks.
• Dynamic address groups —For this purpose, dynamic address groups are lists of IP addresses
that the firewall imports and uses in security policy to define server groups dynamically instead
of stacally. Adding and removing IP addresses from a dynamic address group updates security
policy automacally, without a commit acon on the firewall. Within a zone, using dynamic
address groups in security policy allow rules enables server-to-server interacon for specified
applicaons and services. For example, in NSX, use dynamic address groups to segment the
server ers within an applicaon er.
• User-ID —Enable User-ID to create applicaon allow rules based on user groups to segment
users from applicaons and server groups.
When you design your data center segmentaon plan, keep in mind the following general
guidelines:
• How to Assess Your Data Center, so that you can segment it in stages and protect the most
valuable and sensive assets first.
• Use an SDN soluon (such as NSX, ACI, OpenStack) inside the data center to provide a
scalable, agile, virtualized infrastructure. SDN is the best way to centralize data center network
management, maximize compute resource ulizaon, scale and automate the network, and
control and secure traffic on a virtualized network. Although you can create a non-SDN
architecture that essenally replicates an SDN architecture, it’s difficult and me consuming to
do, prone to errors that result in outages, and is not considered a best pracce. SDN soluons
maximize the use of the underlying data center compute resources without sacrificing security.
• Use physical next-generaon firewalls to segment and secure non-virtualized legacy servers
and use VM-Series firewalls to segment and secure the virtual data center network.
• Group assets that perform similar funcons and require the same level of security in the same
data center segment. For example, place servers that connect to the internet in the same
segment.
Base your segmentaon plan on mulple criteria to develop the right plan to secure your business.
Data Center Best Pracce Security Policy Version Version 10.1 51 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Each server er contains funconally similar servers that work together so that an applicaon er
can present an applicaon to a user.
The server ers within each applicaon er create a service chain of VMs. Service chains steer
traffic through virtual data center appliances to provide applicaon services. Within an applicaon
er, a web server may communicate with an applicaon server that houses the applicaon
code, and that applicaon server may communicate with a database server that houses content.
The communicaon between the three servers, which reside in different server ers within an
applicaon er, is the service chain.
Data centers contain many applicaon ers, which may be dedicated to parcular departments,
customers, contractors, or other groups. Segment the data center applicaon infrastructure
to prevent unauthorized and unnecessary communicaon among applicaon resources and to
inspect applicaon traffic.
Applicaon er Segment the server ers within each applicaon er by configuring a
separate firewall zone for each server er, so that you can control access
to each set of servers and examine the traffic flowing between each
server er as it traverses the firewall. For example, place web servers,
applicaon servers, and database servers in separate zones so that traffic
between server ers always goes through a next-generaon firewall for full
inspecon.
Depending on business requirements, you may need to create more than one
zone for each applicaon er to separate tenants, to load balance, to use
applicaon ers for different purposes, to provide different levels of security,
or to connect to different sets of servers. Segment the data center to reduce
the aack surface of each applicaon er by grouping in the same zone only
servers that require similar levels of trust and that need to communicate with
similar applicaon ers.
Web server er Traffic normally enters the data center through web servers, although there
are special cases such as IT configuring direct secured access to data center
servers for management purposes. As with the other server ers, create a
separate zone for the web server er so that you can apply granular security
policy to it.
Data Center Best Pracce Security Policy Version Version 10.1 52 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Infrastructure Segment the servers that provide crical infrastructure services such as DNS,
service DHCP, and NTP, and allow access only to their specific IP addresses, using
applicaon only the appropriate applicaons.
servers
Applicaons Use App-ID to create applicaon-based allow list security policy rules that
segment applicaons by controlling who can access each applicaon and on
which sets of servers (using dynamic address groups). App-ID enables you
to apply granular security policy rules to applicaons that may reside on the
same compute resource but require different levels of security and access
control.
Create custom applicaons to uniquely idenfy proprietary applicaons and
segment access. If you have exisng Applicaon Override policies that you
created solely to define custom session meouts for a set a of ports, convert
the exisng Applicaon Override policies to applicaon-based policies by
configuring service-based session meouts to maintain the custom meout
for each applicaon and then migrang the rule the an applicaon-based
rule. Applicaon Override policies are port-based. When you use Applicaon
Override policies to maintain custom session meouts for a set of ports, you
lose applicaon visibility into those flows, so you neither know nor control
which applicaons use the ports. Service-based session meouts achieve
custom meouts while also maintaining applicaon visibility.
For migrang from a port-based security policy with custom applicaon
meouts to an applicaon-based policy, don’t use Applicaon Override
rules to maintain the custom meouts because you lose visibility into the
applicaons. Instead, define a service-based session meout to maintain
the custom meout for each applicaon, and then migrate the rule to an
applicaon-based rule.
Don’t use next-generaon firewalls to segment servers within a parcular server er. When you
need to prevent intercommunicaon of servers within a server er, use a tradional rule such
as NSX DFW to open a port or block traffic within the er. However, servers within a server er
Data Center Best Pracce Security Policy Version Version 10.1 53 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
oen need to intercommunicate. For example, a database server er may be a server cluster that
requires free intercommunicaon.
Data Center Best Pracce Security Policy Version Version 10.1 54 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Download content updates automacally and install them as soon as possible so that
you have the latest threat prevenon signatures and content (anvirus, an-spyware,
vulnerabilies, malware, etc.) on the firewall and block the latest threats.
Create one or more Security profile groups so that you can apply all of the profiles to a
Security policy rule at one me instead of specifying them individually.
You don’t need a URL Filtering subscripon for data center firewalls if there is no direct outbound
connecon to the internet. Firewalls that don’t connect directly to the internet don’t need the
PAN-DB URL Filtering soluon because it idenfies internet URLs, not private data center URLs,
so imporng the PAN-DB database and checking URLs against it doesn’t apply to data center
traffic. If you’re not sure whether a firewall has URL traffic, get a trial URL Filtering subscripon
and set the profile to alert on all URL categories to idenfy any URL traffic. Otherwise, URL
Filtering should take place on firewalls at the network perimeter where user traffic enters and
exits the network, not at the data center perimeter. Consider creang custom URL categories
(Objects > Custom Objects > URL Category) to idenfy and control access to internal data center
web services.
Data Center Best Pracce Security Policy Version Version 10.1 55 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Red triangles in the upper le corner of a cell indicates that the acon is modified (changed from
the default) and the name of the modified profile is Strict_AV.
Aach the best pracce Anvirus profile to all security policy rules that allow traffic to block
known malicious files (malware, ransomware bots, and viruses) as they aempt to enter the
network. For example:
• Intra data center traffic—The Anvirus profile, along with the Vulnerability Protecon profile,
helps prevent aackers from using exploits to leverage vulnerabilies and spread malware and
hacking tools laterally between servers inside the data center network.
• Traffic from the data center to the internet—The Anvirus profile, along with the An-Spyware
profile, helps idenfy and block command and control traffic and inial downloads of malware
and hacking tools.
Data Center Best Pracce Security Policy Version Version 10.1 56 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Clone the predefined strict An-Spyware profile and edit it. To ensure availability for business-
crical applicaons, take safe transion steps as you move from your current state to the best
pracce profile. If you have a sinkhole set up to which you can send traffic for analysis, enable
DNS sinkhole with packet capture to help you track down the endpoint that aempted to resolve
the malicious domain. The best pracce An-Spyware profile retains the default Acon to reset
the connecon when the firewall detects a medium, high, or crical severity threat, and enables
single packet capture (PCAP) for those threats.
Don’t enable PCAP for informaonal acvity because it generates a relavely high volume of that
traffic and it’s not parcularly useful compared to potenal threats. Apply extended PCAP (as
opposed to single PCAP) to high-value traffic to which you apply the alert Acon. Apply PCAP
using the same logic you use to decide what traffic to log—take PCAPs of the traffic you log. Apply
single PCAP to traffic you block. The default number of packets that extended PCAP records and
sends to the management plane is five packets, which is the recommended value. In most cases,
capturing five packets provides enough informaon to analyze the threat. If too much PCAP traffic
is sent to the management plane, then capturing more than five packets may result in dropping
PCAPs.
The best pracce Acon on DNS Queries is to block or to sinkhole DNS queries for known
malicious domains and when you don’t have visibility into DNS queries, and to enable PCAPs.
Enabling DNS sinkhole idenfies potenally compromised hosts that aempt to access suspicious
domains by tracking the hosts and prevenng them from accessing those domains. Enable DNS
Data Center Best Pracce Security Policy Version Version 10.1 57 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
sinkhole when the firewall can’t see the originator of the DNS query (typically when the firewall is
north of the local DNS server) so that you can idenfy infected hosts. Don’t enable DNS sinkhole
when the firewall can see the originator of the DNS query (typically when the firewall is south of
the local DNS server; in this case, the firewall’s blocking rules and logs provide visibility into the
traffic) or on traffic you block.
In addion to protecng hosts with DNS sinkholing, aach the best pracce An-Spyware profile
to all security policy rules that allow traffic to idenfy infected hosts as traffic leaves the network
and to stop aackers by prevenng compromised systems from communicang with the malicious
C2 network. If a system can’t communicate with the C2 network, the C2 network can’t control the
system. For example:
• Traffic from users to the data center, intra data center traffic, and traffic from the internet to
the data center—The An-Spyware profile blocks peer-to-peer C2 traffic.
• Traffic from the data center to the internet—The An-Spyware profile, along with the Anvirus
profile, helps idenfy and block C2 traffic and inial downloads of malware and hacking tools.
Data Center Best Pracce Security Policy Version Version 10.1 58 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Don’t enable PCAP for informaonal acvity because it generates a relavely high volume of that
traffic and it’s not parcularly useful compared to potenal threats. Apply extended PCAP (as
opposed to single PCAP) to high-value traffic to which you apply the alert Acon. Apply PCAP
using the same logic you use to decide what traffic to log—take PCAPs of the traffic you log. Apply
single PCAP to traffic you block. The default number of packets that extended PCAP records and
sends to the management plane is five packets, which is the recommended value. In most cases,
capturing five packets provides enough informaon to analyze the threat. If too much PCAP traffic
is sent to the management plane, then capturing more than five packets may result in dropping
PCAPs.
The reason to aach the best pracce Vulnerability Protecon profile to all security policy rules
that allow traffic is because if you don’t have strict vulnerability protecon, aackers can leverage
client- and server-side vulnerabilies to compromise the data center. For example:
• Intra data center traffic—A strict Vulnerability Protecon profile, along with the Anvirus
profile, helps prevent aackers from using exploits to leverage vulnerabilies and spread
malware and hacking tools laterally between servers inside the data center network.
• Traffic from the data center to the internet—Vulnerability protecon helps prevent infected
data center servers from compromising internet servers.
• Traffic from the internet to the data center—A strict Vulnerability Protecon profile blocks
aempts to compromise data center servers with server-side vulnerabilies. If a server is
compromised, vulnerability protecon helps prevent the infected server from serving exploits
to clients, isolang the infecon and protecng your partners and customers from watering
hole aacks. Vulnerability protecon also stops brute force aacks using the Block IP acon.
When brute force aack signatures trigger the acon, the firewall blocks the aacker’s IP
address for a configured period of me. If the brute force aack resumes aer the me period
expires, the signatures again trigger the blocking acon. The brute force aack may connue,
but it never succeeds.
Data Center Best Pracce Security Policy Version Version 10.1 59 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
In some cases, the need to support crical applicaons may prevent you from blocking
all of the strict profile’s file types. Follow the safe transion advice to help determine
whether you need to make excepons in different areas of the network. Review the data
filtering logs (Monitor > Logs > Data Filtering) to idenfy file types used in the data center
and talk with business stakeholders about the file types their applicaons require. Based
on this informaon, if necessary, clone the strict profile and modify it as needed to allow
only the other file type(s) that you need to support the crical applicaons. You can also
use the Direcon seng to restrict files types from flowing in both direcons or block files
in one direcon but not in the other direcon.
The reason to aach the best pracce File Blocking profile to all security policy rules that allow
traffic is to help prevent aackers from delivering malicious files to the data center through file
sharing applicaons and exploit kits, or by infecng users who access the data center, or on USB
scks.
• Traffic from users to the data center—Aach the strict File Blocking profile to security policy
rules for applicaons that don’t entail file sharing or collaboraon to block dangerous file types
that can deliver exploits and malware.
• Intra data center traffic—Aach the strict File Blocking profile to security policy rules to prevent
a compromised server from sharing a malicious file with other servers in the data center. This
isolates the infecon and prevents the spread of malware through the data center.
• Traffic from the data center to the internet—Limit file transfers to the file types required by the
applicaon in use.
If you don’t block all Windows PE files, send all unknown files to WildFire for analysis. For user
accounts, set the Acon to connue to help prevent drive-by downloads where malicious web
sites, emails, or pop-ups cause users to inadvertently download malicious files. Educate users that
Data Center Best Pracce Security Policy Version Version 10.1 60 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
a connue prompt for a file transfer they didn’t knowingly iniate may mean they are subject to a
malicious download.
Set up WildFire appliance content updates to download and install automacally every
minute so that you always have the most recent support. For example, support for Linux
files and SMB files were first delivered in WildFire appliance content updates.
The reason to aach the default WildFire Analysis profile to all security policy rules that allow
traffic is because WildFire provides the best defense against unknown threats and advanced
persistent threats (APTs). For example:
• Traffic from users to the data center—WildFire idenfies unknown malware hosted in the data
center such as Confluence or SharePoint.
• Intra data center traffic—WildFire idenfies unknown malware spreading among the data
center servers, which can prevent the exfiltraon of data by discovering the malware before it
can do damage.
Data Center Best Pracce Security Policy Version Version 10.1 61 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
• Traffic from the data center to the internet—Because this traffic downloads executables for
soware and operang system updates, it’s crical to run WildFire on all applicaons to
idenfy malicious behaviors.
Set up alerts for malware through email, SNMP, or a syslog server so that the firewall immediately
nofies you when it encounters a potenal issue. The faster you isolate a compromised host, the
lower the chance that the previously unknown malware has spread to other data center devices,
and the easier it is to remediate the issue.
If necessary, you can restrict the applicaons and file types sent for analysis based on the traffic’s
direcon.
WildFire Acon sengs in the Anvirus profile may impact traffic if the traffic generates
a WildFire signature that results in a reset or a drop acon. You can exclude internal
traffic such as soware distribuon applicaons through which you deploy custom-built
programs to transion safely to best pracces, because WildFire may idenfy custom-
built programs as malicious and generate a signature for them. Check Monitor > Logs
> WildFire Submissions to see if any internal custom-built programs trigger WildFire
signatures.
Data Center Best Pracce Security Policy Version Version 10.1 62 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 63 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Order the Data Center Security Policy Rulebase shows you how to order these rules with all of the
other rules we create for the four data center traffic flows so that no rule shadows another rule.
To apply consistent security policy across mulple data centers, you can reuse templates
and template stacks so that the same policies apply to every data center. The templates
use variables to apply device-specific values such as IP addresses, FQDNs, etc., while
maintaining a global security policy and reducing the number of templates and template
stacks you need to manage.
Data Center Best Pracce Security Policy Version Version 10.1 64 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
enter the network as encrypted traffic. Blocking QUIC forces the browser to fall back to TLS
and enables the firewall to decrypt the traffic.
Create a Security policy rule to block QUIC on its UDP service ports (80 and 443) and create
a separate rule to block the QUIC applicaon. For the rule that blocks UDP ports 80 and 443,
create a Service (Objects > Services) that includes UDP ports 80 and 443:
Use the Service to specify the UDP ports to block for QUIC. In the second rule, block the QUIC
applicaon so that the first two rules in your rulebase block QUIC:
STEP 2 | Block all applicaons from user zones on the applicaon-default port to idenfy unexpected
applicaons.
This rule discovers applicaons that users are aempng to use and that you didn’t know
were running on your data center. Monitor traffic that matches this rule to determine if it’s a
potenal threat or if you need to modify your allow rules to enable access to the applicaon.
Data Center Best Pracce Security Policy Version Version 10.1 65 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Be sure to place this rule aer rules that allow traffic or this rule will block traffic that you
intend to allow.
The rule shown aer this rule is similar to this rule, except that it applies to traffic from
any source, not just traffic from user zones. The reason for creang separate rules is
that violaons of the user-zone rule may indicate that you’re blocking a legimate
applicaon which some users need to conduct business, so you may need to modify
a rule to allow the applicaon for a parcular set of users. Violaons from non-
user zones may indicate a change in an applicaon or a potenal aack. Creang a
separate rule for the rest of the traffic enables you to view separate logs for user traffic
and for all other traffic aempng to enter the data center, which makes it easier to
invesgate and respond to a potenal issue.
This rule must precede the next rule, which applies to all traffic so that you can log
and monitor aempts to use unexpected applicaons on applicaon-default ports
regardless of the source aer you first log violaons from user zones.
STEP 3 | Block all applicaons from user zones on any port to idenfy applicaons running where they
shouldn’t run.
This rule idenfies legimate, known applicaons that users are aempng to run on non-
standard ports as well as unknown applicaons for which you may need to create custom
applicaons. Invesgate the source of any traffic that matches this rule to ensure that you
Data Center Best Pracce Security Policy Version Version 10.1 66 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
aren’t allowing unknown-tcp, unknown-udp, or non-syn-tcp traffic. Be sure to place this rule
aer rules that allow traffic or this rule will block traffic that you intend to allow.
We will also create a different block rule later in this secon that is similar to this rule
(Unexpected-App-from-Any-Zone), except that it applies to traffic from any source,
not just traffic from user zones. The reason for creang separate rules is that violaons
of the user-zone rule may indicate that a legimate applicaon which some users need
to conduct business has not been designed correctly, so you may need to modify the
applicaon. Creang a separate rule for the rest of the traffic enables you to view
separate logs for user traffic and for all other traffic aempng to enter the data
center, which makes it easier to invesgate and respond to a potenal issue.
STEP 4 | Block applicaons designed to evade or bypass security, that aackers commonly exploit, or
that are not necessary in the data center.
This rule protects the data center from applicaons that you know you don’t want on your
network. Although the goal of a best pracce security policy is posive enforcement using
applicaon allow rules, explicitly blocking and logging potenally dangerous applicaon acvity
such as unsanconed file sharing applicaons, remote access applicaons, or encrypted
tunnels, provides visibility into and informaon about potenal aacks. Even aer you develop
Data Center Best Pracce Security Policy Version Version 10.1 67 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
a solid applicaon allow list, keep this applicaon blocking rule in the rulebase because logs
from aempted violaons help with invesgaons into potenal aacks.
Use this rule to block only applicaons you never want in your data center.
STEP 5 | Block all applicaons from any zone on the applicaon-default port to idenfy unexpected
applicaons.
This rule discovers applicaons from any zone that you didn’t know were running on your data
center. Violaons of this rule may indicate that an applicaon has changed or may indicate a
Data Center Best Pracce Security Policy Version Version 10.1 68 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
potenal threat. Monitor traffic that matches this rule to determine if it’s a potenal threat or if
you need to modify your applicaon allow rules. Be sure to place this rule aer rules that allow
traffic or this rule will block traffic that you intend to allow, and aer the rule in Step 1 so that
it doesn’t catch traffic from user zones.
STEP 6 | Block all applicaons from any zone on any port to idenfy applicaons running where they
shouldn’t run.
This rule idenfies legimate, known applicaons aempng to run on non-standard ports
as well as unknown applicaons for which you may need to create custom applicaons.
Invesgate the source of any traffic that matches this rule to ensure that you aren’t allowing
unknown-tcp, unknown-udp, or non-syn-tcp traffic. Be sure to place this rule aer rules that
allow traffic or this rule will block traffic that you intend to allow, and aer the preceding rule
so that it doesn’t catch traffic from user zones.
To create this rule, use the same sengs as in the rule Unexpected-App-from-User-Zone,
except instead of specifying the user zones in the source, specify any zone to cover all of the
rest of the traffic aempng to enter the data center, and set the Service to any to cover non-
standard ports.
STEP 7 | Discover unknown users aempng to run any applicaon, on any port.
This rule idenfies gaps in User-ID coverage by finding unknown users. It also idenfies
compromised or embedded devices in the user community that are trying to access your data
center. (Embedded devices have no user interface, for example, printers, card readers, and
cameras, but adversaries can compromise these devices and use them in an aack.)
This rule is almost the same as the interzone-default rule that prevents communicaon
between zones (unless another rule allows the traffic), except instead of dropping traffic
from all users, it only drops traffic from unknown users. This enables you to log rule matches
separately and more easily invesgate unknown users aempng to access your data center.
Data Center Best Pracce Security Policy Version Version 10.1 69 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 70 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Trust internal An aacker gains access to Enable User-ID, block unknown users, and
users and allow a data center endpoint and allow access for sanconed users. Create
the applicaon then moves laterally to any separate identy domains for employees,
the user accesses other data center endpoint partners, and contractors. Use mul-
to determine to exploit stolen credenals factor authencaon (MFA) for partner,
whether access or server-side vulnerabilies. contractor, and sensive server access.
is allowed based Unknown users gain access
on credenals to data center endpoints.
and possibly on IP
address rules.
Analyzing Users may inadvertently Send all unknown files to WildFire for
unknown files download malware from analysis to idenfy new and unknown
is unnecessary file sharing and other cloud malware and protect against it.
because the data applicaons.
center is inside a
trusted network.
Tag all sanconed applicaons with the predefined Sanconed tag. Panorama and
firewalls consider applicaons without the Sanconed tag as unsanconed applicaons.
Order the Data Center Security Policy Rulebase shows you how to order these rules with all of the
other rules we create for the other three data center traffic flows and the block rules so that no
rule shadows another rule.
To apply consistent security policy across mulple data centers, you can reuse templates
and template stacks so that the same policies apply to every data center. The templates
use variables to apply device-specific values such as IP addresses, FQDNs, etc., while
maintaining a global security policy and reducing the number of templates and template
stacks you need to manage.
Data Center Best Pracce Security Policy Version Version 10.1 71 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
At the internet gateway (network perimeter), block all DNS traffic to public DNS
servers. Do not allow DNS traffic to go out to the internet.
This rule is an excepon to the best pracce of not allowing “any” user in policy rules because
users need to access DNS services before they log in. This rule safeguards access to DNS
services. To create this rule:
• Restrict access to the appropriate Desnaon Zone in the data center, IT infrastructure.
• Configure an address group for the DNS Servers and restrict access to only that group.
• Prevent access using any applicaon except dns.
• It’s especially import to apply the best pracce Security profile group to DNS traffic because
if an aacker hijacks your DNS server, the aacker can redirect traffic to phishing websites
that look like the legimate websites users are trying to access.
STEP 2 | Allow the necessary IT personnel secured, privileged access to data center servers for
management and maintenance.
This rule shows how to safeguard access to crical systems for users who have privileged
accounts. Privileged accounts require a high level of trust and grant administrave access to
crical systems that contain your company’s most valuable data, so you must ghtly control
and monitor privileged accounts. Leverage App-ID to specify only the applicaons IT users
Data Center Best Pracce Security Policy Version Version 10.1 72 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
need to manage data center devices so that the firewall denies access for all other applicaons.
In this example, a group of IT users needs administrave access to manage data center servers.
The allowed applicaons are examples. Allow the applicaons your IT department
uses to manage data center servers. In some cases, applicaons over SSL may
require the addion of the specific applicaon to be idenfied correctly by App-ID.
IT personnel also manage switches, routers, and other devices in the data center. If the
same group of IT users manages those resources using the same applicaons, you can add
them to the desnaon zone and address so that the rule allows IT superusers to access the
management interfaces of those devices. If different IT user groups manage different sets of
data center resources or use different applicaons, create separate, ght security policy rules
for each user group and each set of applicaons.
Because user groups that have privileged accounts have access to crical systems, when
you Create User-to-Data-Center Authencaon Policy Rules, require MFA to prevent access
if aackers compromise their credenals. Create corresponding authencaon policy and
decrypon policy rules for each privileged access rule.
STEP 3 | Allow access for employee user groups that have legimate business reasons to
communicate with data center servers.
This rule shows how to limit each user group’s (or in some cases, an individual user’s) access
to only the necessary applicaons and servers. For example, engineers need to access
development servers in the data center. To create the security policy rule, create a dynamic
Data Center Best Pracce Security Policy Version Version 10.1 73 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
address group that contains the IP addresses of all of the data center development servers
that the group uses, idenfy the applicaons the engineers need to use on those servers, and
construct the rule based on those groups.
Similar to the allow rule for engineering user access to data center servers, this rule allows
users in the finance-users and accounng-users groups to use only the specified applicaons
to access only the servers in the Fin-Servers dynamic address group. The rule applies the best
pracce security profiles to allowed traffic and logs acvity.
STEP 4 | Allow targeted, limited data center access to contractors, partners, customers, and other
third-pares.
This rule shows how to ghtly control access for third-party users so that they can use only the
applicaons they need on only the servers they need. For example, a company hires a group of
SAP developer contractors. The SAP developers need to access the SAP database in the data
center and make SQL queries. However, SQL also runs on producon databases that the SAP
developers should not access. The company needs to control three access vectors:
• User group—SAP developer contractors.
• Applicaons—MS-SQL and SAP.
• Servers—SAP database servers only. Deny all other data center server access.
The combinaon of User-ID to isolate the SAP contractor user group, App-ID to limit the group
to using only the necessary applicaons, and a dynamic address group that limits access to only
Data Center Best Pracce Security Policy Version Version 10.1 74 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
the SAP database servers in the data center enables the company to provide exactly the access
the SAP contractors need to perform their dues, but no more.
Verify that only the applicaons you explicitly allowed in the security policy rules are running
by viewing the predefined Applicaons report (Monitor > Reports > Applicaon Reports >
Applicaons). If you see unexpected applicaons in the report, review the applicaon allow rules
and refine them so that they don’t allow the unexpected applicaons.
Data Center Best Pracce Security Policy Version Version 10.1 75 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
STEP 1 | Authencate employee user groups and individuals that have legimate business reasons to
use data center servers.
This rule show how to authencate user groups so that they can access services required for
their business acvies on the necessary servers. For example, engineers need to authencate
before they can access development servers and applicaons.
Data Center Best Pracce Security Policy Version Version 10.1 76 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
STEP 2 | Authencate contractors, partners, customers, and other non-employee groups that require
data center access.
This rule requires MFA for third-party user groups such as contractors, partners, and customers
because you have less control over the business and security pracces of their companies and
personnel than you do over your employees. Requiring these users to authencate with at
least two factors protects your data center against credenal the at a third-party company.
STEP 3 | Authencate users who need specialized access, such as IT personnel who need secured
access to data center servers for management and maintenance.
This rule shows you how to configure authencaon for users who have privileged accounts,
which grant administrave access to crical systems. Because compromising the credenals
of a privileged user hands an aacker the keys to your data center kingdom and its valuable
assets, you need to protect against stolen credenals by requiring at least two factors of
Data Center Best Pracce Security Policy Version Version 10.1 77 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
authencaon to ensure that only legimate users are granted access. This example shows
how to authencate the right IT users for access to data center server management interfaces.
Do not send credenals in cleartext. For example, if you use RADIUS, use a supported
EAP method to transport credenals securely inside TLS.
Data Center Best Pracce Security Policy Version Version 10.1 78 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
from a trusted internal segment), and then expand the effort unl you have applied decrypon to
traffic desned to all of your data center assets. Decrypt as much traffic as you can while retaining
acceptable performance.
Exclude Unsuitable Traffic from Data Center Decrypon. Regulaons and compliance
over personal informaon differ from country to country and even within country regions.
Different companies may have different compliance rules about personal informaon.
Decrypt as much traffic as you can, but if your data center houses informaon that
regulaons or company rules exempt from decrypon, don’t decrypt that traffic.
In Create User-to-Data-Center Applicaon Allow Rules, we created Security policy rules that
allow DNS access, allow engineering users to access engineering development servers, allow SAP
contractor developers to access only the SAP development servers, and allow a parcular set of
IT users data center server management access. Here we create decrypon policy rules (Policies >
Decrypon) to decrypt the traffic that these rules allow.
The decrypon policy rules share some common elements in regard to these traffic flows:
• When you create a Decrypon policy rule, the objecve is to decrypt traffic so that a Security
policy rule can examine it and allow or block it based on policy. To accomplish that, the
Decrypon policy rule must use the same source zone(s) and user(s) as the analogous security
policy rule, and the same desnaon zone and address (oen defined by a dynamic address
group so that as you add or remove servers, you can update the firewall without a commit
operaon). Defining the same source and desnaon in the Security policy and in the
Decrypon policy applies both policies to the same traffic.
• The Acon for all of these rules is decrypt, except in the case of sensive personal informaon
as shown in Step 4.
• For each rule, configure decrypon logging and log forwarding. Log as much decrypon traffic
as your firewall resources permit.
• The decrypon rules that use SSL Inbound Inspecon to examine incoming traffic require the
appropriate server cerficate.
• All of these decrypon rules use the Best Pracce data center decrypon profile shown in
Create the Data Center Best Pracce Decrypon Profiles.
STEP 1 | Decrypt allowed traffic from employee user groups to data center servers.
This rule shows how to decrypt traffic from a user group to the data center servers that the
group is allowed to access to provide visibility into that traffic. For example, the applicaon
allow rules we created include a Security policy rule that allows engineering users to access
development servers in the data center. To protect the development servers, decrypt incoming
traffic so that the firewall can inspect it and apply threat prevenon profiles.
Data Center Best Pracce Security Policy Version Version 10.1 79 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Users zone, and the Desnaon is the servers specified in the Dev-Servers dynamic address
group in the Engineering-DC-Infra zone.
• On the Opons tab, set the Acon to Decrypt and the decrypon Type to SSL Inbound
Inspecon. Specify the server cerficate for the development servers and apply the data
center best pracce Decrypon Profile to apply SSL Inbound Inspecon and SSL Protocol
Sengs to the traffic.
Create a similar Decrypon policy rule for allowed data center traffic of each user group (or
individual user, if applicable) based on the source zone and user group (or user) and on the
desnaon zone and server group (as defined by the dynamic address group membership).
STEP 2 | Decrypt allowed traffic from contractors, partners, customers, and other third-pares.
This rule shows how to decrypt from third-party groups to the data center servers they are
allowed to access. For example, the allow rules include a security policy rule that allows limited
access for SAP developer contractors to SAP database servers in the data center. Decrypt
incoming traffic so that the firewall can inspect it, apply threat prevenon profiles to it, and
protect the SAP data center servers.
STEP 3 | Decrypt privileged allowed access to data center servers (except traffic pertaining to personal
informaon if regulaons or compliance rules prohibit it).
This rule shows how to decrypt traffic for privileged access because you should decrypt
as much traffic as possible to provide the visibility necessary to defend the data center, no
maer how much you trust the users. If you don’t decrypt allowed traffic, you can’t apply
threat prevenon profiles, and if the traffic conceals malware or other threats, you won’t see
Data Center Best Pracce Security Policy Version Version 10.1 80 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
them. This example references the Security Policy allow rule we created previously to provide
management interface access to data center servers for IT superusers.
If the IT group that manages and maintains data center servers uses SSH, you can’t
decrypt the SSH traffic. You can configure SSH Proxy to block SSH tunnels and
prevent SSH from tunneling potenally malicious content and applicaons. If the
IT group uses SSL, create a Decrypon Policy rule using SSL Forward Proxy instead
of SSL Inbound Inspecon. The reason is that SSL Inbound Inspecon requires the
server cerficate to perform decrypon. Because IT manages many data center
servers, creang SSL Inbound Inspecon rules for each server is onerous and difficult to
manage. SSL Forward Proxy decrypon scales beer in this use case.
The following example shows the Decrypon policy rule for the SSL Forward Proxy use case.
Data Center Best Pracce Security Policy Version Version 10.1 81 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
separate, ght security policy rules and corresponding decrypon and authencaon policy
rules for each user group.
The next example shows the Decrypon policy rule for the SSH Proxy use case. You may also
choose not to decrypt the traffic instead of using SSH Proxy decrypon.
Data Center Best Pracce Security Policy Version Version 10.1 82 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 83 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 84 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
from the internet to the data center so that you don’t inadvertently download malware that
takes advantage of server vulnerabilies or allow a client to download malware from one of your
company’s servers that could infect partners, customers, or wind up on a website used by your
industry (serving a watering-hole aack).
Ensure that the source of traffic to the data center doesn’t come from malicious IP addresses or
other potenally risky sources, and only allow applicaons required for business purposes. Don’t
allow unnecessary (and especially unknown) applicaons in the data center. To do these things:
• Create allow rules that control the sanconed and allowed applicaons that external devices
can use to communicate with your data center.
Tag all sanconed applicaons with the predefined Sanconed tag. Panorama
and firewalls consider applicaons without the Sanconed tag as unsanconed
applicaons.
• Create an External Dynamic List to idenfy bad IP addresses and use it to prevent them from
accessing your data center.
• Create a custom applicaon for any proprietary applicaon so that you can idenfy the
applicaon and apply security to it.
If you have exisng Applicaon Override policies that you created solely to define custom
session meouts for a set a of ports, convert the exisng Applicaon Override policies to
applicaon-based policies by configuring service-based session meouts to maintain the
custom meout for each applicaon and then migrang the rule the an applicaon-based rule.
Applicaon Override policies are port-based. When you use Applicaon Override policies to
maintain custom session meouts for a set of ports, you lose applicaon visibility into those
flows, so you neither know nor control which applicaons use the ports. Service-based session
meouts achieve custom meouts while also maintaining applicaon visibility.
• Apply the best pracce Security profile group, which consists of the best pracce Security
profiles to allow rules to protect against malware, vulnerabilies, C2 traffic, and known and
unknown threats.
• Log all allowed traffic at session end to track and analyze rule violaons. Forward logs to log
servers and when applicable, forward log emails to appropriate administrators.
Order the Data Center Security Policy Rulebase shows you how to order these rules with all of the
other rules we create for the other three data center traffic flows and the block rules so that no
rule shadows another rule.
To apply consistent security policy across mulple data centers, you can reuse templates
and template stacks so that the same policies apply to every data center. The templates
use variables to apply device-specific values such as IP addresses, FQDNs, etc., while
maintaining a global security policy and reducing the number of templates and template
stacks you need to manage.
Allow sanconed applicaon traffic from vendors, contractors, and customers, restricted to only
the necessary applicaons.
This rule shows how to secure applicaon traffic arriving at the data center from external
sources by ghtly controlling the allowed applicaon(s), allowing them only on the default port,
and blocking sources that you know are bad using an External Dynamic List to idenfy known
bad IP addresses.
Data Center Best Pracce Security Policy Version Version 10.1 85 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 86 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
center web serves, using only certain applicaons. To protect the data center web servers,
decrypt traffic so the firewall can inspect it and apply threat prevenon profiles.
STEP 2 | Create similar Decrypon policy rules for traffic from the internet to any other server group,
if such access is allowed, and for the other applicaons you allow.
Data Center Best Pracce Security Policy Version Version 10.1 87 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
as a duraon during which new connecons remain blocked. The CPS thresholds you configure
to protect your data center web servers depends on the capacity of your web servers.
If you don’t use protocols such as UDP or other IP protocols, restrict them using
a combinaon of Security policy rules to allow applicaons and Zone Protecon
Profiles to block unused protocols by seng flood protecon CPS to zero packets for
protocols you want to block.
STEP 2 | Create a classified DoS Protecon policy rule to define the servers you want to protect from
a DoS aack and aach the DoS Protecon profile to it.
This rule prevents a SYN flood aack from taking down your data center web server er. This
example applies the classified DoS Protecon profile to external traffic allowed to connect to
the web server er.
Data Center Best Pracce Security Policy Version Version 10.1 88 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Creang separate rules for external and internal aack sources provides separate reporng
that makes invesgang aack aempts easier.
Data Center Best Pracce Security Policy Version Version 10.1 89 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Create port- Port-based and IP-based Create strict applicaon-based allow rules
based rules and/ rules can’t control which that allow only data center servers that
or IP-based rules, applicaons to allow to retrieve updates to use only legimate
which provide connect to the internet. If a applicaons to communicate only with
sufficient security
Data Center Best Pracce Security Policy Version Version 10.1 90 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data center Malware or command- Decrypt all traffic from the data center
servers only reach and-control soware to the internet. Create a custom URL
out to trusted that is already in the data categories that defines the URLs data
servers such as center may aempt to center servers are allowed to contact and
update servers, communicate with external use it in Security policy to limit internet
so decrypng servers to download more access to external servers. Use the same
that traffic isn’t malware or exfiltrate data. custom URL in Decrypon policy to
necessary. decrypt traffic to those external servers.
Data Center Best Pracce Security Policy Version Version 10.1 91 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
• Prevenng malware that is already on a data center server from connecng to a compromised
external server (phoning home) and downloading addional data because the allow rules don’t
allow connecons to those servers.
• Prevenng aackers from using legimate applicaons such as FTP, HTTP, or DNS tunneling to
exfiltrate data or using legimate applicaons such as web-browsing on non-standard ports for
command-and-control (C2) operaons because the allow rules don’t allow data center servers
to communicate with the internet using those applicaons. An addional way to help prevent
exfiltraon is to use the File Blocking profile’s Direcon control to block outbound update files
so you only allow downloading for soware update files.
Create a strict allow rule for each applicaon that requires soware updates from a different set
of external servers. In many cases, App-ID alone isn’t enough to protect data center servers. For
example, for Linux server updates, it’s not enough to limit traffic to an update applicaon such as
yum or apt-get because that doesn’t prevent connecng to illegimate servers. The best pracce
is to find the URLs that data center servers need to connect to, create custom URL categories
(Objects > Custom Objects > URL Category) that specify the websites to use, and combine them
with App-ID in Security policy rules. The combinaon of App-ID and custom URL categories locks
down the external servers with which the data center servers can connect by prevenng the use
of illegimate applicaons and prevenng connecons to update servers that aren’t in the custom
URL category. For example, in a Security policy rule that allows data center servers to connect to
CentOS update servers, you could create a custom URL category called CentOS-Update-Servers
and add the CentOS update sites your servers use to the custom category.
To find out the URLs of legimate Linux update servers and other update servers, work
with soware engineering, development operaons, and other groups that update
soware to understand where they go to get updates. You can also log web browsing
sessions, collect the URLs to which developers connect, and then take the URLs to
engineering to filter out the right URLs for the Security policy.
Don’t use the URL Filtering Profile (PAN-DB URL Filtering) in Security policy rules for data
center servers that communicate with the internet because you don’t want to allow all
update servers. Restrict communicaon so that data center servers only reach out to the
parcular servers from which they retrieve updates.
In addion, all allowed communicaon should occur on the standard ports for each applicaon. No
applicaons should run on non-standard ports. As with all data center traffic, monitor allow rule
violaons because violaons indicate either that you need to update the security policy to allow
legimate traffic or that an adversary is in or is aempng to enter the network.
Order the Data Center Security Policy Rulebase shows you how to order these rules with all of the
other rules we create for the other three data center traffic flows and the block rules so that no
rule shadows another rule.
To apply consistent security policy across mulple data centers, you can reuse templates
and template stacks so that the same policies apply to every data center. The templates
use variables to apply device-specific values such as IP addresses, FQDNs, etc., while
maintaining a global security policy and reducing the number of templates and template
stacks you need to manage.
Data Center Best Pracce Security Policy Version Version 10.1 92 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
• Has the best pracce Security profile group aached, which consists of the best pracce
Security profiles. Using a Security profile group enables you to apply all of the best pracce
profiles to a rule at one me instead of specifying each profile individually. Security profile
groups make configuring protecon against malware, vulnerabilies, C2 traffic, and known and
unknown threats faster and easier.
• Logs traffic (at session end) so that you can track and analyze rule violaons and includes log
forwarding. Forward logs to log servers and when applicable, forward log emails to appropriate
administrators.
STEP 1 | Allow data center servers to access soware update servers.
This rule shows how to restrict access to soware update servers on the internet so that data
center servers communicate only with legimate, known servers and don’t communicaon
with other external update servers. This example allows engineering data center servers
to access CentOS update servers and restricts communicaon to using only the necessary
applicaons to establish connecons to only the right set of update servers.
Data Center Best Pracce Security Policy Version Version 10.1 93 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Only allow the applicaon(s) to run on the default port to prevent evasive malware from
aempng to use non-standard ports.
• Create a custom URL category to define the URLs of the update servers to which the data
center servers can connect. In this example, the CentOS-Update-Servers custom URL
category defines the update server URLs that the data center servers can reach.
This combinaon of restricons also prevents aackers who have already compromised a data
center server from reaching other desnaons and using other applicaons to exfiltrate data or
download addional malware.
Similarly, a rule allowing the same servers to communicate with Microso Windows update
servers uses the same construcon.
The source zone and address are the same as in the preceding CentOS update rule. The
differences are:
• The custom URL category (Win-Update-Servers) contains the URL for Windows updates so
that contact with other URLs is denied.
• The applicaons pertain to Microso updates. In addion to the ms-update applicaon,
Microso updates require the ssl applicaon because ms-update depends on SSL. As with
the CentOS update rule, only standard ports are valid.
Some applicaons depend on other applicaons. For a given applicaon, you must allow all
dependent applicaons or the applicaon won’t work. The user interface shows applicaon
dependencies when you create a Security policy rule. For example, when you specify the
Data Center Best Pracce Security Policy Version Version 10.1 94 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
ms-update applicaon in the rule, the interface shows that ms-update depends on also
allowing SSL:
Click Add to Current Rule to add the selected applicaon(s) to the rule.
You can also use the Search funcon (Objects > Applicaons) to find applicaon
dependencies. For example, to find the dependencies for the ms-update applicaon,
search for ms-update, click the ms-update applicaon in the resulng applicaon
list, and then check the Depends on: field.
STEP 2 | Allow data center servers to access DNS and NTP update servers.
This rule shows how to restrict access to DNS and NTP update servers on the internet so that
data center servers communicate only with legimate, known servers. This example allows IT
data center servers to access DNS and NTP update servers and restricts communicaon to
Data Center Best Pracce Security Policy Version Version 10.1 95 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
using only the necessary applicaons to establish connecons to only the right set of update
servers.
STEP 3 | Allow data center servers to access cerficate authority servers to obtain the revocaon
status of digital cerficates and ensure that they are valid.
This rule enables data center servers to connect to an Online Cerficate Status Protocol
(OCSP) Responder (server) on the internet to check the revocaon status of authencaon
cerficates. An OCSP Responder provides the most recent cerficate status compared to
browser Cerficate Revocaon List (CRL) updates, which depend on the frequency of CRL
browser updates to keep up with cerficate revocaons, so the CRL is more likely to be out-
of-date than an OCSP Responder. When you configure a cerficate profile on the firewall, you
can set up CRL status verificaon as a fallback method for OCSP in case the OCSP Responder
is unreachable.
Verify that only the applicaons you explicitly allowed in the security policy rules are running
by viewing the predefined Applicaons report (Monitor > Reports > Applicaon Reports >
Applicaons). If you see unexpected applicaons in the report, review the applicaon allow rules
and refine them so that they don’t allow the unexpected applicaons.
Data Center Best Pracce Security Policy Version Version 10.1 96 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
The decrypon policy rules share some common elements in regard to these traffic flows:
• When you create a Decrypon policy rule, the objecve is to decrypt traffic so that a Security
policy rule can examine it and allow or block it based on policy. To accomplish that, the
Decrypon policy rule must use the same source zone(s) and user(s) as the analogous security
policy rule, and the same desnaon zone and address (oen defined by a dynamic address
group so that as you add or remove servers, you can update the firewall without a commit
operaon). Defining the same source and desnaon in the Security policy and in the
Decrypon policy applies both policies to the same traffic.
• The Acon for all of these rules is decrypt.
• For each rule, configure decrypon logging and log forwarding. Log as much decrypon traffic
as your firewall resources permit.
• All of these decrypon rules use the Best Pracce data center decrypon profile shown in
Create the Data Center Best Pracce Decrypon Profiles.
In many cases, the Decrypon policy rule examples include a custom URL category (Objects >
Custom Objects > URL Category) to narrow the scope of traffic to decrypt. Each Decrypon
policy rule uses the same custom URL category (and source and desnaon) as the analogous
Security policy rule so that the Decrypon and Security policies apply to exactly the same traffic.
The combinaon of App-ID and a custom URL category enables the firewall to decrypt only the
traffic the rule allows, which saves processing cycles by not decrypng traffic that the firewall will
block. (Decrypon must happen before Security policy rule evaluaon.)
STEP 1 | Decrypt traffic between data center servers and soware update servers on the internet.
This rule shows how to decrypt data center server soware update traffic to provide visibility
into threats that may be present on internet update servers so the firewall can block them. This
example decrypts allowed traffic between data center servers and CentOS update servers on
Data Center Best Pracce Security Policy Version Version 10.1 97 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
the internet based on the analogous applicaon allow rule we created in Create Data-Center-
to-Internet Applicaon Allow Rules.
STEP 2 | Decrypt traffic between data center servers and NTP and DNS update servers on the
internet.
This rule shows how to decrypt data center server NTP and DNS update traffic to provide
visibility into threats that may be present on these internet servers so the firewall can block
them. This example decrypts allowed traffic based on the analogous applicaon allow rule we
created in Create Data-Center-to-Internet Applicaon Allow Rules.
Data Center Best Pracce Security Policy Version Version 10.1 98 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
For unknown commercial applicaons, you can submit a request to Palo Alto Networks to
create an App-ID.
If you have exisng Applicaon Override policies that you created solely to define custom session
meouts for a set a of ports, convert the exisng Applicaon Override policies to applicaon-
based policies by configuring service-based session meouts to maintain the custom meout for
each applicaon and then migrang the rule the an applicaon-based rule. Applicaon Override
policies are port-based. When you use Applicaon Override policies to maintain custom session
meouts for a set of ports, you lose applicaon visibility into those flows, so you neither know nor
control which applicaons use the ports. Service-based session meouts achieve custom meouts
while also maintaining applicaon visibility.
• Intra-Data-Center Traffic Security Approach
• Create Intra-Data-Center Applicaon Allow Rules
• Create Intra-Data-Center Decrypon Policy Rules
Data Center Best Pracce Security Policy Version Version 10.1 99 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
The data center is safe inside Vulnerabilies remain open Install patches on data center
the trusted network, so it’s longer and present aack servers in a mely manner to
not urgent to patch data vectors to aackers. close down vulnerabilies.
center servers quickly. Creang allow list security
policy rules helps you
understand what is running
in your data center and
where unpatched services are
running.
In addion:
• Create a unique service account for each funcon. For example, allow only specific service
accounts to replicate exchange mailboxes, and allow only specific service accounts on web
servers to query MySQL databases. Don’t use one service account for both funcons.
• Monitor service accounts.
• Don’t allow regular user accounts in the data center.
When you transion from port-based to applicaon-based rules, in the rulebase, place the
applicaon-based rule above the port-based rule it will replace. Reset the policy rule hit
counter for both rules. If traffic hits the port-based rule, its policy rule hit count increases.
Tune the applicaon-based rule unl no traffic hits the port-based rule for a period of me,
then remove the port-based rule.
Data Center Best Pracce Security Policy Version Version 10.1 100 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
The WildFire security profile idenfies unknown malware aempng to spread among
data center servers to prevents the exfiltraon of data by discovering malware before it
can do damage. If you can’t use the WildFire global cloud, you can deploy a WildFire
private cloud or a WildFire hybrid cloud.
The example Security policy rules in this secon show how to allow traffic for mul-er data
center finance applicaons that require using the web server, applicaon server, and database
server ers to serve the applicaons. The example includes two proprietary internal applicaons
for which we created custom applicaons: Billing-App and Payment-App. Creang custom App-
IDs for these applicaons enables the firewall to idenfy them, control them, and apply Security
policy to them. Don’t allow unknown applicaons in the data center because you can’t idenfy
and apply security to them, and they may indicate an adversary in your data center. Every data
center applicaon should have an App-ID.
Tag all sanconed applicaons with the predefined Sanconed tag. Panorama and
firewalls consider applicaons without the Sanconed tag as unsanconed applicaons.
Order the Data Center Security Policy Rulebase shows you how to order these rules with all of the
other rules we create for the other three data center traffic flows and the block rules so that no
rule shadows another rule.
Data Center Best Pracce Security Policy Version Version 10.1 101 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
To apply consistent security policy across mulple data centers, you can reuse templates
and template stacks so that the same policies apply to every data center. The templates
use variables to apply device-specific values such as IP addresses, FQDNs, etc., while
maintaining a global security policy and reducing the number of templates and template
stacks you need to manage.
Data Center Best Pracce Security Policy Version Version 10.1 102 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
STEP 2 | Allow finance applicaon traffic between the applicaons server er and the database server
er.
This rule restricts the traffic that can flow between the applicaon server er and the database
server er for the Finance department’s billing servers so that only traffic using legimate
applicaons can flow between the billing applicaon servers and the billing database servers.
The rule uses dynamic address groups to specify the servers in each applicaon er—Billing-
App-Servers specifies the addresses of the servers in the applicaon server er and DB2-
Servers specifies the addresses of the servers in Finance’s database server er.
Verify that only the applicaons you explicitly allowed in the security policy rules are running
by viewing the predefined Applicaons report (Monitor > Reports > Applicaon Reports >
Applicaons). If you see unexpected applicaons in the report, review the applicaon allow rules
and refine them so that they don’t allow the unexpected applicaons.
Data Center Best Pracce Security Policy Version Version 10.1 103 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
STEP 1 | Decrypt finance applicaon traffic between the web server er and the applicaon server
er.
This rule decrypts the traffic flowing between the web server er and the applicaon server
er for the Finance department’s billing servers so that the firewall can see the traffic and
protect the servers in each er against potenal threats.
STEP 2 | Decrypt finance applicaon traffic between the applicaon server er and the database
server er.
This rule decrypts the traffic flowing between the applicaon server er and the database
server er for the Finance department’s billing servers so that the firewall can see the traffic
and protect the servers in each er against potenal threats.
Data Center Best Pracce Security Policy Version Version 10.1 104 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Only the specified users can use only the specified applicaons on their default ports to access
only the specified data center desnaon servers (addresses). Security profiles protect all of these
allow rules against threats. These rules precede block rules that discover unknown users and
applicaons on the network because these rules are very specific and they prevent sanconed
users and applicaons from matching more general rules lower in the rulebase.
Rules 8-9: While the preceding rules allow sanconed applicaons, the next two rules, created in
Create Data Center Traffic Block Rules, discover and block unexpected applicaons from users on
standard ports and block all applicaons on non-standard ports. (Your deployment may have more
user zones than shown in the example.)
Data Center Best Pracce Security Policy Version Version 10.1 105 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Traffic from non-user zones doesn’t match these rules. Place these rules above the applicaon
blocking rules (rules 18 and 19) or those rules will shadow these rules. (Traffic that matches these
two rules may also match the more general applicaon blocking rules. If the applicaon blocking
rules come first and match traffic that also matches these rules, that traffic won’t match these
rules and won’t be logged separately, so the rules won’t do their intended job of differenang
blocking that is the result of employee user acvity from blocking that is the result of acvity from
non-user zones.)
Rules 10-16: The next seven rules allow traffic between the data center and the internet and
within the data center (created in Create Internet-to-Data-Center Applicaon Allow Rules, Create
Data-Center-to-Internet Applicaon Allow Rules, and Create Intra-Data-Center Applicaon Allow
Rules.) Security profiles protect all of these allow rules against threats.
Rules 17-20: The last four rules, configured in Create Data Center Traffic Block Rules, block
applicaons that you know you don’t want in your data center and unexpected applicaons, and
discover unknown users on your network.
Rule 17 blocks applicaons you never want in your data center. This rule comes aer the
applicaon allow rules to enable access for excepons. For example, you may sancon one or
Data Center Best Pracce Security Policy Version Version 10.1 106 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
two file sharing applicaons in applicaon allow rules that precede this block rule, and then
the applicaon filter in this rule blocks the rest of that applicaon type to prevent the use of
unsanconed file sharing applicaons. If there are sets of applicaons or individual applicaons
that you never want on your network and for which there are no excepons, for example,
BitTorrent, you can create a specific block rule to block just those applicaons and place it at the
top of the rulebase, above the applicaon allow rules. However, if you do this, you must be certain
that none of the blocked applicaons have legimate business uses because users will not be able
to access them.
Rules 18 and 19 are analogous to rules 8 and 9, which discover unexpected applicaons from
users (the traffic those rules apply to comes only from user zones). Rules 18 and 19 discover
unexpected applicaons from all other zones. Having separate rules enables you to log blocking
rule matches with greater granularity.
Rule 20 discovers unknown users so that you can log those aempted accesses separately for
easier invesgaon.
As with all Security Policy rulebases, the final two rules will be the Palo Alto Networks default
rules for intrazone traffic (allow) and interzone traffic (deny).
Data Center Best Pracce Security Policy Version Version 10.1 107 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
If you use Panorama to manage firewalls, you can monitor firewall health to compare
devices to their baseline performance and to each other to idenfy deviaons from normal
behavior.
Configure log forwarding from firewalls to Panorama or to external services such as an SNMP Trap
server or a syslog server to centralize the logs from mulple firewalls for more convenient viewing
and analysis (a firewall can only display local logs and reports, not logs and reports from other
firewalls). When you configure log forwarding, configure sending noficaons to verify that the
log desnaons you configure are receiving the firewall logs.
Best pracces for data center logging and monitoring include:
• What Data Center Traffic to Log and Monitor
• Monitor Data Center Block Rules and Tune the Rulebase
• Log Data Center Traffic That Matches No Interzone Rules
• Log Intra Data Center Traffic That Matches the Intrazone Allow Rule
Data Center Best Pracce Security Policy Version Version 10.1 108 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
However, the firewall does not forward logs by default and does not apply Security profiles by
default. The preceding example shows the best pracce of forwarding logs to the appropriate log
servers and administrators and applying best pracce Security profiles.
The best pracce for most traffic is to Log at Session End because applicaons oen change
throughout the lifespan of a session. For example, the inial App-ID for a session may be web-
browsing, but aer the firewall processes a few packets, the firewall may find a more specific App-
ID for the applicaon and change the App-ID. There are several use cases for logging traffic at
the start of a session, including DNS sinkholing, long-lived tunnel sessions, and when you need
informaon from the start of the session for troubleshoong.
Logging the traffic records informaon about traffic that a rule allows and traffic that
a rule denies or drops (rule violaons), so the firewall provides valuable informaon
regardless of how the it treats the traffic. Rule violaons highlight potenal aacks or
allow rules that need to be adjusted to allow a legimate business applicaon.
When you examine blocked traffic in logs, differenate between traffic that the firewall blocked
as a protecve event before any systems have been compromised, such as blocking an applicaon
that isn’t allowed, and traffic that the firewall blocked as a post-compromise event, for example,
an aempt by malware that is already on a data center server to contact an external server to
download more malware or exfiltrate data.
The firewall provides a wealth of monitoring tools, logs, and log reports with which to analyze your
network:
• Monitor > Logs provides traffic, threat, User-ID, and many other log types, including Unified
logs, which show mulple log types on one screen so you don’t have to look at different types
of logs separately. When a magnifying glass icon is part of the summary, you can click it to drill
down into the log entry.
• Monitor > PDF Reports provides predefined reports that you can view and the ability to create
report groups composed of predefined and custom reports. For example, you can review traffic
acvity or take baseline measurements to understand the bandwidth usage and traffic flow in
each data center segment by zone or interface.
• Monitor > Manage Custom Reports provides the ability to create customized reports so that
you can view informaon about block rules, allow rules, or any other subject of interest.
• Monitor > Packet Capture enables you to take packet captures of traffic that traverses the
firewall’s management interface and network interfaces.
• The Applicaon Command Center ( ACC) provides widgets that display an interacve, graphical
summary of the applicaons, users, URLs, threats, and content traversing the network. For
example, you can review and evaluate the applicaons on the network ( ACC > Network
Acvity > Applicaon Usage > Threats) to see if there are any changes in the applicaon or if
Data Center Best Pracce Security Policy Version Version 10.1 109 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
the applicaon exhibits threat behaviors. If you see unexpected applicaons in the list, evaluate
how to handle those applicaons.
Another good way to use ACC informaon is to help idenfy compromised user accounts and
host systems. Analyze threats along with the usernames associated with the threats using
the ACC > Network Acvity > User Acvity > Threats widget and then use the threat logs to
isolate the exact issue.
• The Dashboard ( Dashboard) provides widgets that display general firewall informaon and up
to 10 of the most recent entries in the threat, configuraon, and system logs.
• Use Panorama to monitor firewall health and baseline new devices, to compare performance
metrics, and to track firewall performance aer an event such as a commit, a soware upgrade,
content updates, rule changes, the addion of new applicaons, etc. If performance deviates
from a device’s baseline, you can view and troubleshoot manually or automacally open a cket
for invesgaon.
• On Panorama or on an individual firewall, use the policy rule hit counter to analyze changes to
the rulebase. For example, when you add a new applicaon, before you allow that applicaon’s
traffic on the network, add the allow rule to the rulebase. If traffic hits the rule and increments
the counter, it indicates traffic that matches the rule may already be on the network even
though you haven’t acvated the applicaon, or that you need to tune the rule. Another
example is replacing port-based rules with applicaon-based rules by placing the applicaon-
based rule before the port-based rule and nong if any traffic hits the port-based rule. If traffic
hits the port-based rule, then you need to tune the applicaon-based rule to catch that traffic.
In conjuncon with the policy rule hit counter, check the ACC > Threat Acvity > Applicaons
Using Non Standard Ports and the ACC > Threat Acvity > Rules Allowing Apps On Non
Standard Ports widgets to see if traffic on non-standard ports caused the unexpected rule hits.
The key to using the policy rule hit counter is to reset the counter when you make a
change, such as introducing a new applicaon or changing a rule’s meaning. Reseng
the hit counter ensures that you see the result of the change, not results that include
the change and events that happened before the change.
Follow content update best pracces to keep your firewall protecon up-to-date.
Maintain the Data Center Best Pracce Rulebase includes specific best pracces for
data center firewalls.
Data Center Best Pracce Security Policy Version Version 10.1 110 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
STEP 1 | Create custom reports to monitor traffic that matches the block rules designed to idenfy
policy gaps and potenal aacks.
1. Select Monitor > Manage Custom Reports.
2. Add a report and give it a Name that describes the report’s purpose, in this example DC
Best Pracce Policy Tuning.
3. Set the Database to Traffic Summary. This also changes the Available Columns opons.
4. From Available Columns, add Source Zone, Desnaon Zone, Sessions, Bytes, Applicaon,
Risk of App, Rule, and Threats to the Selected Columns list. If there are other types of
informaon you want to monitor, select those as well.
5. Select the Scheduled box.
6. Set the desired Time Frame, Sort By, and Group By values. In this example we set the Time
Frame to Last 7 Days, the Sort By to Apps, and the Group By to App Sub Category.
7. Define the query to match traffic hing the rules designed to find policy gaps and potenal
aacks. You can create a single report for traffic that matches any of the rules using the or
operator, or create individual reports to monitor each rule. In the Query Builder, specify the
name of each rule you want to include in the report. This example uses the six blocking rules
and uses the Or operator to include informaon about traffic that matches any of the rules:
• (rule eq ‘Discover-Unknown-Users’)
• (rule eq ‘Block-Bad-Apps’)
• (rule eq ‘Unexpected-App-from-User-Zone’)
• (rule eq ‘Unexpected-App-from-Any-Zone’)
• (rule eq ‘Unexpected-User-App-Any-Port’)
• (rule eq ‘Unexpected-App-Any-Port’)
STEP 2 | Review the report (or reports) regularly to make sure you understand why traffic matches
each block rule and either update policy to include legimate applicaons and users, or use
the informaon to assess the risk of traffic that matches the rules.
Data Center Best Pracce Security Policy Version Version 10.1 111 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Log Intra Data Center Traffic That Matches the Intrazone Allow
Rule
By default, all intrazone traffic (source and desnaon in the same zone) is allowed. Aer the
firewall evaluates Security policy, it either allows traffic controlled by applicaon allow list rules,
denies traffic controlled by block rules, or if intrazone traffic matches no rules, the firewall allows it
by default. (The firewall blocks interzone traffic by default.) Because of the valuable nature of data
center assets, the best pracce is to monitor all traffic inside the data center between data center
servers, including traffic allowed by the intrazone default allow rule.
To gain visibility into this traffic, enable logging on the intrazone-default rule when it applies
to traffic within zones inside the data center. Logging this traffic gives you the opportunity to
examine access that you have not explicitly allowed and which you may want to either explicitly
allow by modifying an allow rule or explicitly block.
In Define the Inial Intra-Data-Center Traffic Security Policy, we used three example zones inside
the data center: Web-Server-Tier-DC, App-Server-Tier-DC, and DB-Server-Tier-DC. In this
example, we create a custom report to gather log informaon about data center intrazone traffic
in these three internal data center zones.
STEP 1 | Select the intrazone-default row in the rulebase and click Override to enable eding the rule.
STEP 3 | On the Acons tab, select Log at Session End and click OK.
STEP 4 | Create a custom report to monitor traffic that hits this rule for the internal data center zones.
1. Select Monitor > Manage Custom Reports.
2. Add a report and give it a descripve Name. In this example, the name is Log Intrazone-
Default Rule-DC.
3. Set the Database to Traffic Summary.
4. From Available Columns, add Source Zone, Desnaon Zone, Sessions, Bytes, Applicaon,
Risk of App, Rule, and Threats to the Selected Columns list. If there are other types of
informaon you want to monitor, select those as well.
5. Select the Scheduled box.
6. Set the desired Time Frame, Sort By, and Group By values. In this example, the selected
values are Threats and App Category, respecvely.
7. Define the query to match traffic that matches the intrazone-default rule for the data center
zones:
The query filters for traffic that matches the intrazone default rule and also matches any of
the three internal data center zones that we defined. Because the default Selected Columns
include zones, the report shows the zone for each session. In a real-world data center, you
Data Center Best Pracce Security Policy Version Version 10.1 112 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
would probably have more zones and you would add each zone to the query. The resulng
custom report sengs look like this:
STEP 3 | On the Acons tab, select Log at Session End and click OK.
Data Center Best Pracce Security Policy Version Version 10.1 113 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
STEP 4 | Create a custom report to monitor traffic that hits this rule.
1. Select Monitor > Manage Custom Reports.
2. Add a report and give it a descripve Name. In this example, the name is Log Interzone-
Default Rule.
3. Set the Database to Traffic Summary.
4. From Available Columns, add Source Zone, Desnaon Zone, Sessions, Bytes, Applicaon,
Risk of App, Rule, and Threat to the Selected Columns list. If there are other types of
informaon you want to monitor, select those as well.
5. Select the Scheduled box.
6. Set the desired Time Frame, Sort By, and Group By values. In this example, the selected
values are Last 7 Days, Threats and App Category, respecvely.
7. Define the query to match traffic that matches the interzone-default rule:
(rule eq interzone-default)
Data Center Best Pracce Security Policy Version Version 10.1 114 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
STEP 2 | If necessary, modify exisng Security policy rules to accommodate the App-ID changes.
You can disable selected App-IDs if some App-IDs require more tesng and install the rest
of the new App-IDs. Finish tesng any necessary policy revisions before the next monthly
content release with the new App-IDs arrives (third Tuesday of each month) to avoid overlap.
Over me, the list of applicaons used in the data center usually stabilizes, so fewer
and fewer new App-IDs are relevant. (Most new App-IDs pertain to internet-facing
applicaons.) This reduces the risk of new App-IDs creang an issue in the data center
and may enable you to install content updates with new App-IDs faster.
STEP 3 | Prepare policy updates to account for App-ID changes included in a content release or to add
new sanconed applicaons to or remove applicaons from your allow rules.
Data Center Best Pracce Security Policy Version Version 10.1 115 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
If you use Panorama to manage firewalls, you can monitor firewall health to compare
devices to their baseline performance and to each other to idenfy deviaons from
normal behavior.
Data Center Best Pracce Security Policy Version Version 10.1 116 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 117 ©2021 Palo Alto Networks, Inc.
Data Center Best Pracce Security Policy
Data Center Best Pracce Security Policy Version Version 10.1 118 ©2021 Palo Alto Networks, Inc.