Skip to content

Latest commit

 

History

History
70 lines (60 loc) · 3.19 KB

paloaltofw.md

File metadata and controls

70 lines (60 loc) · 3.19 KB
Raw

PaloAltoFW

The paloalto header designation has the following format:

target:: paloalto from-zone [zone name] to-zone [zone name] [address family] [address objects]
  • from-zone: static keyword, followed by the source zone
  • to-zone: static keyword, followed by the destination zone
  • address family: specifies the address family for the resulting filter
    • inet: the filter should only render IPv4 addresses (default)
    • inet6: the filter should only render IPv6 addresses
    • mixed: the filter should render IPv4 and IPv6 addresses
  • address objects: specifies whether custom address objects or network/mask definitions are used in security policy source and destination fields
    • addr-obj: specifies address groups are used in the security policy source and destination fields (default)
    • no-addr-obj: specifies network/mask definitions are used in the security policy source and destination fields
  • unique-term-prefixes: specifies whether each term name should be generated with unique prefixes. The unique prefix is a hexdigest of from_zone and to_zone fields.

Term Format

  • action:: The action to take when matched. See Actions section for valid options.
  • comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
  • destination-address:: One or more destination address tokens.
  • destination-port:: One or more service definition tokens.
  • expiration:: stop rendering this term after specified date. YYYY-MM-DD
  • icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
  • logging:: Specify that this packet should be logged via syslog.
  • name:: Name of the term.
  • owner:: Owner of the term, used for organizational purposes.
  • platform:: one or more target platforms for which this term should ONLY be rendered.
  • protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
  • source-address:: one or more source address tokens.
  • source-port:: one or more service definition tokens.
  • timeout:: specify application timeout. (default 60)

Sub Tokens

Actions

  • accept
  • count
  • deny
  • log
  • reject

Terms Section

Optionally Supported Keywords

  • pan-application:: paloalto target only. Specify applications for the security policy which can be predefined applications (https://applipedia.paloaltonetworks.com/) and custom application objects.

    • Security Policy Service Setting

      When no protocol is specified in the term, the service will be application-default.

      When protocol is tcp or udp, and no source-port or destination-port is specified, the service will be custom service objects for the protocols and all ports (0-65535).

      When protocol is tcp or udp, and a source-port or destination-port is specified, the service will be custom service objects for the protocols and ports.

      pan-application can only be used when no protocol is specified in the term, or the protocols tcp and udp.