From Palo Alto Networks ALG Security Technical Implementation Guide
Part of SRG-NET-000202-ALG-000124
Associated with: CCI-001109
A deny-all, permit-by-exception network communications traffic policy ensures that only those connections that are essential and approved are allowed. As a managed boundary interface between networks, the Palo Alto Networks security platform must block all inbound and outbound network traffic unless a policy filter is installed to explicitly allow it. The allow policy filters must comply with the site's security policy. A deny-all, permit–by-exception network communications traffic policy ensures that only those connections that are essential and approved are allowed.
Go to Policies >> Security Review each of the configured security policies in turn. Select each policy in turn; in the "Security Policy Rule" window, if the "Source Address" has "Any" selected, the "Destination Address" has "Any" selected, the "Application" has "Any" selected, and the "Action" Setting is "Allow", this is a finding. If any Security Policy is too broad (allowing all traffic either inbound or outbound), this is also a finding.
Do not configure any policies or rules that violate a deny-all, permit-by-exception policy. Configure policies that allow traffic through the device based only on the mission and system requirements.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer