Source and Destination Zone in one of the Security Rules is set to Any.-paloaltonetworks-panos

Source and Destination Zone in one of the Security Rules is set to Any.-paloaltonetworks-panos
0

Source and Destination Zone in one of the Security Rules is set to Any.-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert if there is a security rule configured with source and destination zone set to Any.

Remediation Steps:
Source zone and destination zone should always be defined clearly in all the security policies. For more information, please check <a target="_blank" href=“https://www.paloaltonetworks.com/documentation/80/best-practices/best-practices-internet-gateway/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy”>Palo Alto Networks: Best Practices

How does this work?
“This alert uses the Palo Alto Networks API interface to parse through the local security rules and check if any of them matching the condition. The alarm should dump the name of the security rule.”

Why is this important?
“It is recommended to make the policy specific either for permit or deny so that we do not include unexpected traffic because the policy was not specific enough.”

Without Indeni how would you find this?
“Login to the device’s web interface and click on “Policies” -> “Security” and use the filter “(from/member eq ‘any’) and (to/member eq ‘any’)”.”

panos-security-zone-any

name: panos-security-zone-any
description: Ensure source and destination zones are not both "any" on security rule
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall
comments:
    security-zone-any:
        why: |
            "It is recommended to make the policy specific either for permit or deny so that we do not include unexpected traffic because the policy was not specific enough."
        how: |
            "This alert uses the Palo Alto Networks API interface to parse through the local security rules and check if any of them matching the condition. The alarm should dump the name of the security rule."
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry&key=${api-key}
    parse:
        type: XML
        file: panos-security-zone-any.parser.1.xml.yaml
-   run:
        type: HTTP
        command: /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='${rule_name}']&key=${api-key}
    parse:
        type: XML
        file: panos-security-zone-any.parser.2.xml.yaml

PanosSecurityZoneAnyRule

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanosSecurityZoneAnyRule.scala