A list of handy rules.

• Block all from IP
• Block all to IP
• Block all to sinkhole
• Block all to tcp/udp/port
• Block all from country
• Block all to country
• Block all application (e.g. quic, ssh-tunnel)
• Allow outside→outside (e.g. VPN, GlobalProtect, ping, firewall ping out,etc)
• Deny outside→outside any/any
• Allow outside→dmz
• Allow all application everywhere (e.g. ping, traceroute, icmp)
• Allow all application everywhere (e.g. ocsp (note that tcp-hand shake has to happen so we put in seperate rule)
• Allow user subnets to Internet
  • Block banned applications for user/group
  • Allow list of sanctioned applications for user/group
  • Allow list of tolorated applications for user/group
  • Allow ssl, web-browsing, google-base for user/group
  • Allow tcp-80, tcp-443 for user/group
  • Allow any (application-default) for user/group
  • Allow any any for user/group
• Allow users to servers
• Allow servers to internet
• Allow serverts to other

Be careful with Geo Blocking. Remember, Palo Alto Networks PAN-OS gets its Geo Location data from Max Mind. In August 2020, Max Mind changed 8.8.8.8 from being in “US” to being in “IN” (India). Anyone blocking access to India lost a lot of DNS capability until bypasses were put in place.

Having said that, some Geo Blocking countries for you consideration are

• IR Iran
• NK North Korea
• A1 Anonymous Proxies
• A2 Satellite Providers (e.g. to countries in central Africa)

Consider blocking

• App-ID quic
• App-ID ssh-tunnel
• UDP-433 (just in case this is not identified as quic. This will also catch some 'dtls' and 'facebook-base' and 'unknown-udp' and 'dnscrypt' and 'sip')
• TCP-853 (DNS over TLS)

When you enable a DNS proxy on the Palo, you will need to allow DNS connections to that IP from the clients. You will also need to allow that IP to connect to the upstream DNS servers.

For example, if you have an interface in a guest network 192.168.1.1/24 (Security zone SZ_Guest) and an interface in the server network 192.168.2.1/24 (security zone SZ_Server) and a DNS server in the server network 192.168.2.22, you could enable DNS proxy on the guest interface. You would need the following rules. Bear in mind that some DSN requested may be identified as other applications (e.g. sophos-live-protection) so you may want to think carefully about restricting traffic flow to the application 'dns'). If you add the other applications (e.g. sophos-live-protection) you will end up with dependency warnings at every commit. Personally, I consider this a bug but Palo Support does not so we are stuck with it.

(Notice with this specific rule that the default-intrazone rule will probably allow the traffic anyway but we list this rule here for clarity).

• Name: “Clients to DNS Proxy”
• From Zone: SZ_Guest
• From Address: 192.168.1.0/24
• To Zone: SZ_Guest
• To Address: 192.168.1.1
• Application: dns (or 'any')
• Service: application-default (or UDP-53 and TCP-53)

• Name: “DNS Proxy to DNS server”
• From Zone: SZ_Guest
• From Address: 192.168.1.1
• To Zone: SZ_Server
• To Address: 192.168.2.22
• Application: dns (or 'any')
• Service: application-default (or UDP-53 and TCP-53)

Of course, you do not have to have the proxy IP in the same zone as the guests. You could put the proxy in the Server zone interface (e.g. 192.168.2.1/24 in, through DHCP, have your guests connect to the Proxy through the firewall, in that case, you would need the following rule: You would probably not need a rule to allow DNS Proxy to the DNS server as they would be in the same zone and thus covered by the default-intrazone rule.

• Name: “Clients to DNS Proxy”
• From Zone: SZ_Guest
• From Address: 192.168.1.0/24
• To Zone: SZ_Server
• To Address: 192.168.2.1
• Application: dns (or 'any')
• Service: application-default (or UDP-53 and TCP-53)

App and Threat updates

Set the applications to

• paloalto-updates

Service should be

• TCP-443

You can also lock down the URL category by creating a custom one that blocks everything except the following URLS

• updates.paloaltonetworks.com
• proitpdownloads.plaoaltonetworks.com
• downloads.paloaltonetworks.com

To do static updates:

• us-static.updates.paloaltonetworks.com
• Avoid using an IP address instead of a URL. Doing so will break the SSL/TLS SNI verification.
• 35.186.202.45:443 and 34.120.74.244:443

• [2600:1901:0:669::]:443 and [2600:1901:0:5162::]:443

OLD INFORMATION THAT WAS RETIRED IN JULY 2021. To do static updates:

• staticupdates.paloaltonetworks.com
• 199.167.52.15

If a URL security profile is being used, ensure that it has set the Custom URL object for the above URLs to alert.

You can also lock down the destination IP if you set the update server to staticupdates.paloaltonetworks.com instead of the default updates.paloaltonetworks.com.

DNS Security Service

Set the applications to

• paloalto-dns-security
• ssl

Service should be

• TCP-443

You can also lock down the URL category by creating a custom one that blocks everything except the following URLS

• dns.service.paloaltonetworks.com

Threat Vault Lookup

Set the applications to

• ssl

Service should be

• TCP-443

You can also lock down the URL category by creating a custom one that blocks everything except the following URLS

• api.threatvault.paloaltonetworks.com

WildFire updates

Set the applications to

• paloalto-wildfire-cloud

Service should be

• TCP-443

You can also lock down the URL category by creating a custom one that blocks everything except the following URLS

• wildfire.paloaltonetworks.com (USA)
• *.wildfire.paloaltonetworks.com (USA)
• jp.wildfire.paloaltonetworks.com (Japan)
• *.jp.wildfire.paloaltonetworks.com (Japan)
• sg.wildfire.paloaltonetworks.com (Singapore)
• *.sg.wildfire.paloaltonetworks.com (Singapore)
• eu.wildfire.paloaltonetworks.com (Europe)
• *.eu.wildfire.paloaltonetworks.com (Europe)

If a URL security profile is being used, ensure that it has set the Custom URL object for the above URLs to alert.

Set the applications to

• pan-db-cloud

Service should be

• TCP-443

You can also lock down the URL category by creating a custom one that blocks everything except the following URLS

• *.urlcloud.paloaltonetworks.com

Or

• s0000.urlcloud.paloaltonetworks.com (PAN's datacentre)
• s0100.urlcloud.paloaltonetworks.com (us-east-1.amazonaws.com)
• s0200.urlcloud.paloaltonetworks.com (us-west-1.elb.amazonaws.com)
• s0300.urlcloud.paloaltonetworks.com (eu-west-1.elb.amazonaws.com)
• s0500.urlcloud.paloaltonetworks.com (ap-northeast-1.elb.amazonaws.com)
• pandb2dc10prod.urlcloud.paloaltonetworks.com (PANOS 9.0)
• pandb2dlprod.urlcloud.paloaltonetworks.com (PANOS 9.0)

To allow only Microsoft Windows updates, specify the source zone and IP (if applicable) and the external zone.

Set the applications to

• ms-update
• ssl

Service should be

• application-default

You can also lock down the URL category by creating a custom one that blocks everything except the following URLS*

• windowsupdate.microsoft.com
• *.microsoft.com
• *.windowsupdate.com/*

You may want this list to be in the both the rule's URL category as well as the URL secuirty profile applied to the rule (if applicable).

If a URL security profile is being used, ensure that it has set the Custom URL object for the above URLs to alert.

To allow only Microsoft Product activation, specify the source zone and IP (if applicable) and the external zone.

Set the applications to

• ms-product-activation

Service should be

• application-default

You can also lock down the URL category by creating a custom one that blocks everything except the following URLS*

• activation-v2.sls.microsoft.com
• validation-v2.sls.microsoft.com
• activation-v2.sls.microsoft.com/*
• validation-v2.sls.microsoft.com/*
• *.activation-v2.sls.microsoft.com/*
• *.validation-v2.sls.microsoft.com/*

You may want this list to be in the both the rule's URL category as well as the secuirty profile applied to the rule (if applicable).

• dns
• ntp
• ldap
• active-directory-base
• msrpc-base
• ms-dc-replication
• s-netlogon
• ms-ds-smbv3
• ms-ds-dmbbase

To allow the PAN firewall to access another PAN firewall (or Panorama) for UserID, you need the following rules. (Don't forget to enable User-ID as a service on the 'server' firewall's MGT interface).

• Name: “PAN MGT to PAN MGT”
• From Zone: SZ_MGT1
• From Address: 192.168.1.101
• To Zone: SZ_MGT2
• To Address: 192.168.2.102
• Application: paloalto-userid-agent
• Service: TCP-5007

To allow the PAN firewall to access a domain controller for User-ID, you need the following rules.

• Name: “PAN MGT to Domain Controller - Rule 1”
• From Zone: SZ_MGT
• From Address: 192.168.1.101
• To Zone: SZ_Server
• To Address: 192.168.2.22
• Application: msrpc-base and its dependencies (ms-ds-smb-base, netbios-ss)
• Service: TCP-135

• Name: “PAN MGT to Domain Controller - Rule 2”
• From Zone: SZ_MGT
• From Address: 192.168.1.101
• To Zone: SZ_Server
• To Address: 192.168.2.22
• Application: ms-wmi
• Service: TCP-5003

To allow the PAN firewall to access a domain controller for LDAP, you need the following rules.

• Name: “PAN MGT to Domain Controller - Rule 1”
• From Zone: SZ_MGT
• From Address: 192.168.1.101
• To Zone: SZ_Server
• To Address: 192.168.2.22
• Application: ldap
• Service: TCP-389

• Name: “PAN MGT to Domain Controller - Rule 2” (assuming it is not being decrypted)
• From Zone: SZ_MGT
• From Address: 192.168.1.101
• To Zone: SZ_Server
• To Address: 192.168.2.22
• Application: ssl
• Service: TCP-636

The Broker VM IP needs access to:

• ntp on default ports
• dns on default ports
• ssl on TCP-443 for URL 'brokerservice-eu.paloaltonetworks.com' 'pathfinder-docker.magnifier.paloaltonetworks.com' 'dl.magnifier.paloaltonetworks.com'
• paloalto-shared-services on TCP-443 for URL 'api.paloaltonetworks.com' and 'apitrusted.paloaltonetworks.com'
• traps-management-service on TCP-443 for URL 'cc-exntechnical.traps.paloaltonetworks.com' and 'ch-exntechnical.traps.paloaltonetworks.com'
• cortex-xdr on TCP-443/TCP-80 for URL 'cc-exntechnical.traps.paloaltonetworks.com' and 'ch-exntechnical.traps.paloaltonetworks.com'

On Broker 4.1.3, there is a bug where it will use 8.8.8.8 for resolving

• ch-TENNANT_NAME.traps.paloaltonetworks.com
• cc-TENNANT_NAME.traps.paloaltonetworks.com

traps-management-service URL filtering

• distributions.traps.paloaltonetworks.com Used for the first request in registration flow where the agent passes the distribution id and obtains the ch-<tenant>.traps.paloaltonetworks.com of its tenant
• dc-<xdr-tenant>.traps.paloaltonetworks.com Used for EDR data upload.
• ch-<xdr-tenant> .traps.paloaltonetworks.com Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports.
• cc-<xdr-tenant>.traps.paloaltonetworks.com Used for get-verdict requests.

cortex-xdr URL filtering

• lrc-<region>.paloaltonetworks.com Used in live terminal flow.
• panw-xdr-installers-prod-us.storage.googleapis.com Used to download installers for upgrade actions from the server.This storage bucket is used for all regions.
• panw-xdr-payloads-prod-us.storage.googleapis.com Used to download the executable for live terminal for Cortex XDR agents earlier than version 7.1.0. This storage bucket is used for all regions.
• global-content-profiles-policy.storage.googleapis.com Used to download content updates.
• panw-xdr-evr-prod-<region>.storage.googleapis.com Used to download extended verdict request results in scanning.

• traps-management-service on TCP-8888

Note, you may want to have two rules, one for internal access and one for external access. Modify this rule as appropriate. If you do this,interal clients will try and access the public IP on the public interface and you will need to put a NONAT rule in for traffic from Internal to External where destination is public IP and TCP-443.

Also, you may want to host the portal on an internal IP on a loopback interface and DNAT a public IP to it. Edit as appropriate. If you do this, update internal DNS servers to use the internal IP of the public FQDN. If you do not do this and internal clients try to access the public FQDN on the public IP and you will need to implement a U-Turn NAT rule.

• Name: “Internet to Portal”
• From Zone: Any
• From Address: Any
• To Zone: SZ_External
• To Address: Public IP of Portal
• Application: panos-global-protect, web-browsing and ssl.
• Service: TCP-443

Note, you should ensure that you either have internal host detection enabled to prevent internal clients connecting to an external gateway, or you block internal clients from connecting to the external gateway. If, for some reason, you want to enable internal clients to connect to the external gateway, you may need to implment a NONAT rule for internal traffic accessing the public IP.

Also, you may want to host the gateway on an internal IP on a loopback interface and DNAT a public IP to it. Edit as appropriate. If you do this, update internal DNS servers to use the internal IP of the public FQDN. If you do not do this and internal clients try to access the public FQDN on the public IP and you will need to implement a U-Turn NAT rule.

• Name: “Internet to Gateway - Rule 1”
• From Zone: Any
• From Address: Any
• To Zone: SZ_External
• To Address: Public IP of Gateway
• Application: panos-global-protect, web-browsing and ssl.
• Service: TCP-443

• Name: “Internet to Gateway - Rule 2”
• From Zone: Any
• From Address: Any
• To Zone: SZ_External
• To Address: Public IP of Gateway
• Application: ipsec-esp-udp
• Service: UDP-4501 and UDP-4500 (though you will almost certainly get away with allowing only UDP-4501).

• Name: “Internet to Gateway - Rule 3”
• From Zone: Any
• From Address: Any
• To Zone: SZ_External
• To Address: Public IP of Gateway
• Application: ike
• Service: UDP-500

You can also replace Rule 2 and Rule 3 with a single rule

• Name: “Internet to Gateway - Rule 4”
• From Zone: Any
• From Address: Any
• To Zone: SZ_External
• To Address: Public IP of Gateway
• Application: ipsec
• Service: application-default

You can also restrict access to GlobalProtect based on URL

The following is access to the internal and external gateways.

• gw_fqdn.example.local/ssl-vpn/login.esp
• gw_fqdn.example.local/ssl-vpn/prelogin.esp?
• <IP Address>/ssl-vpn/logout.esp?
• <IP Address>/ssl-vpn/hipreport.esp
• <IP Address>/ssl-vpn/hipreportcheck.esp
• <IP Address>/

Access to the Portal from both Internal and External networks

• portal_fqdn.example.local/global-protect/getconfig.esp
• portal_fqdn.example.local/global-protect/prelogin.esp
• portal_fqdn.example.local/global-protect/prelogin.esp?

• Name: “Site to Site VPN”
• From Zone: SZ_External
• From Address: Any (or list of all peer addresses. Maybe an address group of all peer addresses)
• To Zone: SZ_External
• To Address: Public IP of local VPN termination IP.
• Application: ipsec
• Service: application-default

Note, the following rule is for allowing unicast DHCP renew requests. The initial DHCP request is a broadcast from 0.0.0.0 to 255.255.255.255. This means that it will not appear in the logs and it cannot be blocked by the firewall. If you have DHCP enabled on an interface, it will issue leases regardless of what security policies are configured on the firewall. Security policies can only be used to stop DHCP renew requests. If it blocks unicast renew requests, the client will eventually do a new DHCP discover and get an new address that way. (This rule can be an intrazonerule)

• Name: “Allow DHCP on Palo”
• From Zone: SZ_Internal
• From Address: Any (or list the networks that are allowed to request DHCP).
• To Zone: SZ_Internal
• To Address: IP address of firewall in SZ_Internal zone.
• Application: dhcp
• Service: application-default

(This rule can be an intrazonerule)

• Name: “Allow Firewall to Ping”
• From Zone: SZ_Internal
• From Address: IP address of firewall in SZ_Internal zone.
• To Zone: SZ_Internal
• To Address: Any (or list the networks that are allowed to request DHCP).
• Application: ping
• Service: application-default

Note, the following rule is for allowing DHCP clients to get DHCP addresses from a DHCP server via a DHCP relay. It is assumed that the DHCP relay is configured on the firewall on the interface that plugs into the network. The initial DHCP request is a broadcast from 0.0.0.0 to 255.255.255.255. This means that it will not appear in the logs and it cannot be blocked by the firewall (Version 10.0 changes this a little but but we can ignore that for now). If you have DHCP enabled on an interface, it will issue leases regardless of what security policies are configured on the firewall. Security policies can only be used to stop DHCP renew requests. If it blocks unicast renew requests, the client will eventually do a new DHCP discover and get an new address that way. You should allow the client subnet to access the actual DHCP server on the App-ID 'dhcp'.

• Name: “Allow DHCP Relay on Palo”
• From Zone: SZ_Internal (zone of the interface that the DHCP relay is attached to)
• From Address: IP address of the DHCP relay interface.
• To Zone: SZ_Server (zone where the DHCP server sits)
• To Address: IP address of DHCP server.
• Application: dhcp
• Service: application-default

Remember, when troubleshooting, the the DHCP relay is on the firewall, you will only see one traffic flow. However, if the DHCP relay is else where (e.g. Cisco AnyConnet box), then you may see two traffic flows. One from the Cisco AnyConnect box external IP to the DHCP server and the DHCP server responding to an internal IP in the Cisco AnyConnect box. Check the “Discover” packets to identify the value of the “Relay Agent” IP. This is what the DHCP server will respond to.

Allow

• paloalto-logging-service (TCP-444)
• paloalto-shared-services (TCP-443)

Whitelist the following domains in URL Filtering and Decryption

• api.lc.prod.us.cs.paloaltonetworks.com (For Cortex Data Lake)
• api.gpcloudservice.com (for GlobalProtect cloud service)
• api.paloaltonetworks.com (for GlobalProtect cloud service)
• apitrusted.paloaltonetworks.com (for GlobalProtect cloud service)

When using response pages for URL Filtering or Captive Portal, you need to configure a data plane interface with an Interface Managment Profile that has Response Pages enabled if you want to do captive portal or Continue or Admin Override on URL Filtering / Credential Theft, etc.

The following ports will need to be allowed depending on your requirements. The IP address will be an IP address on the interface you have specificed. This can be a loopback interface.

• TCP-6080 for NTLM
• TCP-6081 for Captive Portal without an SSL/TLS Server Profile
• TCP-6082 for Captive Portal with an SSL/TLS Server Profile
• TCP-6083 for URL Filtering Continue button or Admin Override.

Remember, the certificate used for SSL/TLS connections will be the certificate used for the management interface. Consequently, you may need to ensure you have enabled “Redirect” instead of Transparent on Device→Setup→Content-ID→URL Admin Override as well as Redirect instead of Transparent on Device→User Identification→Captive Portal Settings

Two useful external dynamic address lists to use are IPv6 and IPv4 Bogon lists. Block SZ_Internal → SZ_External access to these destinations as well as SZ_External → SZ_Internal access. Remember, the IPV4 list included RFC1918 addresses.

Team Cymru Bogons IPv4 - http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt<br/> IPv4 addresses that should not be routed across the Internet (including RFC1918 private IP addresses). Either reserved IP address space or unassigned and may be used for malicious purposes. More information: http://www.team-cymru.com/bogon-reference.html

Team Cymru Bogons IPv6 - http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt<br/> IPv6 addresses that should not be routed across the Internet. Either reserved IP address space or unassigned and may be used for malicious purposes. More information: http://www.team-cymru.com/bogon-reference.html

Two other IP addresses you can use for DNS sinkholing are 192.0.0.1/32 and 2600:5200::1/128 in addition to sinkhole.paloaltonetworks.com which is 72.5.65.111.

Also block any/any/any access to and from Palo Alto Networks three built in External Dynamic Lists (The third is only available in PAN-OS 9.0+)

Allow

• msrpc-base TCP-135 TCP-445
• ms-ds-smbv3 TCP-445
• ms-service-controller TCP-445
• ms-win-dns TCP-49180
• msrpc-base TCP-49166

Restrictions information is [https://docs.paloaltonetworks.com/traps/tms/traps-management-service-admin/get-started-with-tms/enable-access-tms# here].

Based on this link, you can restrict Traps URL access to

US:

https://traps-prodng-distributions-10.s3.amazonaws.com
https://traps-prodng-agent-uploads-10.s3.amazonaws.com
https://traps-prodng-scanning-results-10.s3.amazonaws.com
https://traps-prodng-installers-origin-10.s3.amazonaws.com

EU:

https://traps-prodng-distributions-70.s3.eu-central-1.amazonaws.com
https://traps-prodng-agent-uploads-70.s3.eu-central-1.amazonaws.com
https://traps-prodng-scanning-results-70.s3.eu-central-1.amazonaws.com
https://traps-prodng-installers-origin-70.s3.eu-central-1.amazonaws.com

Block Applications

• quick
• bittorrent
• unknown-tcp
• unknown-udp

Block Application Filter

• Make Application Filter for sub-categories Proxy, Remote Access and Encrypted Tunnel. Then select client-server, network-protocol and peer-to-peer so that we do not select browser-based. This is because browser-based included ssl.

For Vulnerability Profile, select strict for everything except SIP and Brute Force.

Block Ports (inbound and outbound):

• TCP-25 (make exception for internal email servers accessing the Internet).
• TCP-445

Make Rules for

• Apps specifically allowed and service as application-default
• App ssl and web-browsing and google-base and service as application-default
• App ssl and web-browsing and google-base and service as TCP-80 and TCP-443
• App ssl and web-browsing and google-base and service as any
• App any and service as TCP-80 and TCP-443
• App any and service as application-default
• App any and service as any

For Vulnerability Profile, select strict for everything except SIP and Brute Force.

Consider rules for the following application groups

• blocked-saas-applications ()
• bad-applications (quic, ssh-tunnel)
• tolorated-saas-applicaations (youtube)
• sanctioned-saas-applications (concur, office365, etc)
• infrastructure-applications (ping, icmp, traceroute, ntp, smtp, etc)
• it-support-applications (ms-rdp, vnc, ssh, etc)

Put internal and external DNS flows in their own security policy. Remember, some traffic (e.g. sophos-update, need access to DNS and those DNS packets will be identified as sophos-update).

You may need to allow App-ID 'stun' on TCP and UDP 3478-3497,19302 to get Apple FaceTime working