Date published: 2020-06-08
Synapsa Firewall Auditor - Palo Alto documentation
Chapters
- 1 Source or Destination IP
- 1.1 Synapsa rules
- 1.2 Matching examples
- 1.3 Not matching
- 2 Source or Destination Zone
- 2.1 Synapsa rules
- 2.2 Matching examples
- 2.3 Not matching
- 3 Service
- 3.1 Synapsa rules
- 3.2 Matching examples
- 3.3 Not matching
- 4 Action
- 4.1 Synapsa rules
- 4.2 Matching examples
- 4.3 Not matching
- 5 Allowed EDL lists
- 6 Notes
1 Source or Destination IP
The same conditions apply for Source and Destination IP.
1.1 Synapsa rules
Looking for | Value | Description |
---|---|---|
exact.ip | 192.168.1.50 | Looking for exact IP in the address field (*) |
exact.net | 192.168.1.0/24 | Looking for exact Network in the address field (*) |
within.net | 192.168.1.0/24 | Looking for any IP or subnet within the net (*) |
any-ip-address | --- | Matching if SRC/DST is any IP address, any networks, but not "any" |
any | --- | Matching if SRC/DST is keyword "any" |
anything | --- | Always matching |
1.2 Matching examples
Looking for | Example 1 | Example 2 |
---|---|---|
exact.ip | 192.168.1.50 | 192.168.1.50, 10.12.50.2 |
exact.net | 192.168.1.0/24 | 192.168.1.0/24, 10.12.50.2 |
within.net | 192.168.1.20 | 192.168.1.64/26, 10.1.1.12 |
any-ip-address | 10.12.50.12, 172.16.20.20 | 10.12.50.0/27, 172.16.20.20 |
any | any | --- |
anything | * | * |
1.3 Not matching
Looking for | Example 1 | Example 2 |
---|---|---|
exact.ip | 192.168.1.20 | 10.10.2.30 |
exact.net | 192.168.1.2/24 | 10.10.2.30 |
within.net | 192.168.2.50 | 10.15.2.30 |
any-ip-address | any | --- |
any | 10.12.50.0/27, 172.16.2.20 | 10.0.0.0/8 |
anything | --- | --- |
2 Source or Destination Zone
The same conditions apply for Source and Destination Zone.
2.1 Synapsa rules
Looking for | Value | Description |
---|---|---|
zone | Untrust | Matching if Zone contains ONE specific zone we are looking for |
multizone | Untrust, DMZ | Matching if Zone contains ALL the zones we are looking for |
multizone-any | Servers, Untrust, DMZ | Matching if Zone contains ANY of the specified zones (**) |
any-zones | --- | Matching if any zones configured, not matching keyword "any" |
any | --- | Only matching keyword "any" |
anything | --- | Always matching |
2.2 Matching examples
Looking for | Example 1 | Example 2 |
---|---|---|
zone | Untrust | --- |
multizone | Untrust, DMZ | --- |
multizone-any | Servers | Servers, DMZ, LAN, Untrust |
any-zones | Trust, DMZ | Untrust, WAN, DMZ, Servers |
any | any | --- |
anything | * | * |
2.3 Not matching
Looking for | Example 1 | Example 2 |
---|---|---|
zone | DMZ, WAN | Untrust, DMZ |
multizone | Untrust, WAN, LAN | LAN, Untrust |
multizone-any | Internet | any |
any-zones | any | --- |
any | Untrust, WAN | Internet |
anything | --- | --- |
3 Service
3.1 Synapsa rules
Looking for | Value | Description |
---|---|---|
tcp.port | 443 | Matching exactly TCP / 443 (*) |
tcp.range | 500-600 | Matching exactly TCP range 500-600 including (*) |
tcp.port-range_geq | 100 | Matching when TCP port range is greater or equals 100 |
udp.port | 53 | Matching exactly UDP port 53 (*) |
udp.range | 4500-6500 | Matching UDP range 4500-6000 including (*) |
udp.port-range_geq | 100 | Matching when UDP port range is greater or equals 100 |
port | 5060 | Matching TCP or UDP port 5060 (*) |
port-range | 5000-6500 | Matching TCP or UDP range 5000-6000 including (*) |
port-range_geq | 100 | Matching when TCP or UDP port range is greater or equals 100 |
any-services | --- | Matching any configured service, but not word "any" |
any | --- | Only matching "any" |
anything | --- | Always matching |
3.2 Matching examples
Looking for | Example 1 | Example 2 |
---|---|---|
tcp.port | tcp/443 | tcp/443, udp/500 |
tcp.range | tcp/500-600 | tcp/500-600, udp/500 |
tcp.port-range_geq | tcp/500-600 | udp/300-400 |
udp.port | udp/53 | tcp/500-600, udp/53 |
udp.range | udp/4500-6500 | udp/4500-6500, udp/53 |
udp.port-range_geq | udp/700-1000 | udp/20-120 |
port | tcp/5060, tcp/5070 | udp/5060, tcp/21 |
port-range | udp/5000-6500 | udp/5000-6500, tcp/700-960 |
port-range_geq | tcp/100-200 | udp/100-200 |
any-services | tcp/123, tcp/443, udp/100-200 | tcp/123, tcp/443 |
any | any | --- |
anything | * | * |
3.3 Not matching
Looking for | Example 1 | Example 2 |
---|---|---|
tcp.port | tcp/400-500 | tcp/22,udp/500 |
tcp.range | tcp/501-600, udp/500 | tcp/501-600 |
tcp.port-range_geq | tcp/50-100 | udp/100-1500 |
udp.port | udp/500 | any |
udp.range | udp/4500-6499 | udp/4500-6499, tcp/21 |
udp.port-range_geq | tcp/20-120 | udp/40-90 |
port | tcp/21 | tcp/5070 |
port-range | udp/5002-5010 | udp/5001-6500 |
port-range_geq | tcp/400-450 | tcp/400-450 |
any-services | any | --- |
any | tcp/123, udp/100-200 | tcp/443 |
anything | --- | --- |
4 Action
4.1 Synapsa rules
Looking for | Value | Description |
---|---|---|
allow | --- | Matching Allow |
not-allow | --- | "Matching anything else except Allow Deny, Drop, Reset Client, Reset server, Reset both client and server" |
4.2 Matching examples
Looking for | Example 1 | Example 2 |
---|---|---|
allow | Allow | --- |
not-allow | Drop | Deny |
4.3 Not matching
Looking for | Example 1 | Example 2 |
---|---|---|
allow | Drop | Deny |
not-allow | Allow | --- |
5 Allowed EDL lists
Looking for | Value | Description |
---|---|---|
EDL name | Name your Lists | Enter External Dynamic Lists names, which will be added for IP Address matching. By default all EDLs are skipped. |
6 Notes
- All the keywords for security zone are case insensitive.
- Logical operator between conditions is AND, meaning all the conditions have to be True to make the whole auditor rule to be True.
- Matching values for every line is in bold.
(*) Condition will match, if one of the objects in the specified field is matching the criteria.
(**) You can specify a single value, if you want to only match, if zone contains your keyword exclusively.