3

security policy and nat policy

All traffic traversing the data plane of the Palo Alto Networks firewall is matched against a Security Policy
❗Traffic matching does not include traffic originating from MGT interface as MGT interface does not pass through the data plane of the firewall

All traffic passing through the firewall is matched against a session
A session is matched against a security policy rule
Each session is assigned a unique session ID number
After a session is matched, firewall applies matching SPR to the bidirectional traffic in that session.

Intrazone
1. Applies matching traffic within the specified source zone
2. A destination zone cannot be applied, all traffic will be within the Zone specified.
Interzone
1. Applies matching traffic between specified source and destination zone
Universal
1. Applies matching interzone and intrazone traffic in specified source and destination zone

By default, firewall allows intrazone traffic and denies interzone

Identify rules that are used frequently to determine which rules are unused and should be removed

Static
1. 1-1fixed translations
2. Changes source IP while leaving source port unchanged
3. Supports implicit bidirectional rule feature
Dynamic
1. 1-to-1 translations of a source IP address only (no port number)
2. Private source address translates to the next available address in the range
Dynamic IP and port (DIPP)
1. Allows multiple clients to use the same public IP address with different source port numbers
2. Assigned address can be set to the interface address or to a translated address.

Translates original destination IP address to an alternate destination IP address

Last updated 2 years ago