Source and Destination Zone in one of the Security Rules is set to Any.-paloaltonetworks-panos
Vendor: paloaltonetworks
OS: panos
Description:
Indeni will alert if there is a security rule configured with source and destination zone set to Any.
Remediation Steps:
Source zone and destination zone should always be defined clearly in all the security policies. For more information, please check <a target="_blank" href=“https://www.paloaltonetworks.com/documentation/80/best-practices/best-practices-internet-gateway/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy”>Palo Alto Networks: Best Practices
How does this work?
“This alert uses the Palo Alto Networks API interface to parse through the local security rules and check if any of them matching the condition. The alarm should dump the name of the security rule.”
Why is this important?
“It is recommended to make the policy specific either for permit or deny so that we do not include unexpected traffic because the policy was not specific enough.”
Without Indeni how would you find this?
“Login to the device’s web interface and click on “Policies” -> “Security” and use the filter “(from/member eq ‘any’) and (to/member eq ‘any’)”.”
panos-security-zone-any
name: panos-security-zone-any
description: Ensure source and destination zones are not both "any" on security rule
type: monitoring
monitoring_interval: 60 minutes
requires:
vendor: paloaltonetworks
os.name: panos
product: firewall
comments:
security-zone-any:
why: |
"It is recommended to make the policy specific either for permit or deny so that we do not include unexpected traffic because the policy was not specific enough."
how: |
"This alert uses the Palo Alto Networks API interface to parse through the local security rules and check if any of them matching the condition. The alarm should dump the name of the security rule."
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: HTTP
command: /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry&key=${api-key}
parse:
type: XML
file: panos-security-zone-any.parser.1.xml.yaml
- run:
type: HTTP
command: /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='${rule_name}']&key=${api-key}
parse:
type: XML
file: panos-security-zone-any.parser.2.xml.yaml
PanosSecurityZoneAnyRule
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanosSecurityZoneAnyRule.scala