Date published: 2020-06-08
Synapsa Firewall Auditor - Palo Alto documentation
1 Source or Destination IP
The same conditions apply for Source and Destination IP.
1.1 Synapsa rules
| Looking for | Value | Description |
|---|---|---|
| exact.ip | 192.168.1.50 | Looking for exact IP in the address field (*) |
| exact.net | 192.168.1.0/24 | Looking for exact Network in the address field (*) |
| within.net | 192.168.1.0/24 | Looking for any IP or subnet within the net (*) |
| any-ip-address | --- | Matching if SRC/DST is any IP address, any networks, but not "any" |
| any | --- | Matching if SRC/DST is keyword "any" |
| anything | --- | Always matching |
1.2 Matching examples
| Looking for | Example 1 | Example 2 |
|---|---|---|
| exact.ip | 192.168.1.50 | 192.168.1.50, 10.12.50.2 |
| exact.net | 192.168.1.0/24 | 192.168.1.0/24, 10.12.50.2 |
| within.net | 192.168.1.20 | 192.168.1.64/26, 10.1.1.12 |
| any-ip-address | 10.12.50.12, 172.16.20.20 | 10.12.50.0/27, 172.16.20.20 |
| any | any | --- |
| anything | * | * |
1.3 Not matching
| Looking for | Example 1 | Example 2 |
|---|---|---|
| exact.ip | 192.168.1.20 | 10.10.2.30 |
| exact.net | 192.168.1.2/24 | 10.10.2.30 |
| within.net | 192.168.2.50 | 10.15.2.30 |
| any-ip-address | any | --- |
| any | 10.12.50.0/27, 172.16.2.20 | 10.0.0.0/8 |
| anything | --- | --- |
2 Source or Destination Zone
The same conditions apply for Source and Destination Zone.
2.1 Synapsa rules
| Looking for | Value | Description |
|---|---|---|
| zone | Untrust | Matching if Zone contains ONE specific zone we are looking for |
| multizone | Untrust, DMZ | Matching if Zone contains ALL the zones we are looking for |
| multizone-any | Servers, Untrust, DMZ | Matching if Zone contains ANY of the specified zones (**) |
| any-zones | --- | Matching if any zones configured, not matching keyword "any" |
| any | --- | Only matching keyword "any" |
| anything | --- | Always matching |
2.2 Matching examples
| Looking for | Example 1 | Example 2 |
|---|---|---|
| zone | Untrust | --- |
| multizone | Untrust, DMZ | --- |
| multizone-any | Servers | Servers, DMZ, LAN, Untrust |
| any-zones | Trust, DMZ | Untrust, WAN, DMZ, Servers |
| any | any | --- |
| anything | * | * |
2.3 Not matching
| Looking for | Example 1 | Example 2 |
|---|---|---|
| zone | DMZ, WAN | Untrust, DMZ |
| multizone | Untrust, WAN, LAN | LAN, Untrust |
| multizone-any | Internet | any |
| any-zones | any | --- |
| any | Untrust, WAN | Internet |
| anything | --- | --- |
3 Service
3.1 Synapsa rules
| Looking for | Value | Description |
|---|---|---|
| tcp.port | 443 | Matching exactly TCP / 443 (*) |
| tcp.range | 500-600 | Matching exactly TCP range 500-600 including (*) |
| tcp.port-range_geq | 100 | Matching when TCP port range is greater or equals 100 |
| udp.port | 53 | Matching exactly UDP port 53 (*) |
| udp.range | 4500-6500 | Matching UDP range 4500-6000 including (*) |
| udp.port-range_geq | 100 | Matching when UDP port range is greater or equals 100 |
| port | 5060 | Matching TCP or UDP port 5060 (*) |
| port-range | 5000-6500 | Matching TCP or UDP range 5000-6000 including (*) |
| port-range_geq | 100 | Matching when TCP or UDP port range is greater or equals 100 |
| any-services | --- | Matching any configured service, but not word "any" |
| any | --- | Only matching "any" |
| anything | --- | Always matching |
3.2 Matching examples
| Looking for | Example 1 | Example 2 |
|---|---|---|
| tcp.port | tcp/443 | tcp/443, udp/500 |
| tcp.range | tcp/500-600 | tcp/500-600, udp/500 |
| tcp.port-range_geq | tcp/500-600 | udp/300-400 |
| udp.port | udp/53 | tcp/500-600, udp/53 |
| udp.range | udp/4500-6500 | udp/4500-6500, udp/53 |
| udp.port-range_geq | udp/700-1000 | udp/20-120 |
| port | tcp/5060, tcp/5070 | udp/5060, tcp/21 |
| port-range | udp/5000-6500 | udp/5000-6500, tcp/700-960 |
| port-range_geq | tcp/100-200 | udp/100-200 |
| any-services | tcp/123, tcp/443, udp/100-200 | tcp/123, tcp/443 |
| any | any | --- |
| anything | * | * |
3.3 Not matching
| Looking for | Example 1 | Example 2 |
|---|---|---|
| tcp.port | tcp/400-500 | tcp/22,udp/500 |
| tcp.range | tcp/501-600, udp/500 | tcp/501-600 |
| tcp.port-range_geq | tcp/50-100 | udp/100-1500 |
| udp.port | udp/500 | any |
| udp.range | udp/4500-6499 | udp/4500-6499, tcp/21 |
| udp.port-range_geq | tcp/20-120 | udp/40-90 |
| port | tcp/21 | tcp/5070 |
| port-range | udp/5002-5010 | udp/5001-6500 |
| port-range_geq | tcp/400-450 | tcp/400-450 |
| any-services | any | --- |
| any | tcp/123, udp/100-200 | tcp/443 |
| anything | --- | --- |
4 Action
4.1 Synapsa rules
| Looking for | Value | Description |
|---|---|---|
| allow | --- | Matching Allow |
| not-allow | --- | "Matching anything else except Allow Deny, Drop, Reset Client, Reset server, Reset both client and server" |
4.2 Matching examples
| Looking for | Example 1 | Example 2 |
|---|---|---|
| allow | Allow | --- |
| not-allow | Drop | Deny |
4.3 Not matching
| Looking for | Example 1 | Example 2 |
|---|---|---|
| allow | Drop | Deny |
| not-allow | Allow | --- |
5 Allowed EDL lists
| Looking for | Value | Description |
|---|---|---|
| EDL name | Name your Lists | Enter External Dynamic Lists names, which will be added for IP Address matching. By default all EDLs are skipped. |
6 Notes
- All the keywords for security zone are case insensitive.
- Logical operator between conditions is AND, meaning all the conditions have to be True to make the whole auditor rule to be True.
- Matching values for every line is in bold.
(*) Condition will match, if one of the objects in the specified field is matching the criteria.
(**) You can specify a single value, if you want to only match, if zone contains your keyword exclusively.