Date published: 2020-06-08

Synapsa Firewall Auditor - Palo Alto documentation

1 Tag

1.1 Synapsa rules

Looking for Value Can negate Description
tag.exact skip-test yes Matching if exact and not other tag is attached to the rule
tag.multi test, skip yes Matching if ALL the tags are attached tot the rule
tag.multi-any test, skip yes Matching if ANY of the tags are attached to the rule
tag.no --- yes Matching if NO tag is attached to the rule
anything --- --- Matching always

1.2 Matching examples

Looking for Example 1 Example 2
tag.exact skip
tag.multi test, skip skip, test, prio1
tag.multi-any redflag, test, external, skip blue, test, external, skip, red
tag.no
anything * *

1.3 Not matching

Looking for Example 1 Example 2
tag.exact audit audit, prio1
tag.multi
tag.multi-any red, blue
tag.no skip skip, test, prio1
anything --- ---

2 Source or Destination IP

The same conditions apply for Source and Destination IP.

2.1 Synapsa rules

Looking for Value Can negate Description
exact.ip 192.168.1.50 yes Looking for exact IP in the address field (*)
exact.net 192.168.1.0/24 yes Looking for exact Network in the address field (*)
within.net 192.168.1.0/24 yes Looking for any IP or subnet within the net (*)
any-ip-address --- --- Matching if SRC/DST is any IP address, any networks, but not "any"
any --- --- Matching if SRC/DST is keyword "any"
anything --- --- Matching always
exact.region SK yes Region MUST be exact SK
within.region SK, CZ, EU yes SK, CZ or EU, has to be within the values in the policy
multi.region SK, CZ, EU yes All three must be in regions

2.2 Matching examples

Looking for Example 1 Example 2
exact.ip 192.168.1.50 192.168.1.50, 10.12.50.2
exact.net 192.168.1.0/24 192.168.1.0/24, 10.12.50.2
within.net 192.168.1.20 192.168.1.64/26, 10.1.1.12
any-ip-address 10.12.50.12, 172.16.20.20 10.12.50.0/27, 172.16.20.20
any any ---
anything * *
exact.region SK
within.region SK, CZ SK, CN, RU, USA, UK
multi.region SK, RU, CN, CZ, EU SK, RU, CN, CZ, EU, USA

2.3 Not matching

Looking for Example 1 Example 2
exact.ip 192.168.1.20 10.10.2.30
exact.net 192.168.1.2/24 10.10.2.30
within.net 192.168.2.50 10.15.2.30
any-ip-address any ---
any 10.12.50.0/27, 172.16.2.20 10.0.0.0/8
anything --- ---
exact.region CZ EU
within.region CN, RU
multi.region SK, CZ, USA, RU EU, CZ, USA, RU

3 Source or Destination Zone

The same conditions apply for Source and Destination Zone.

3.1 Synapsa rules

Looking for Value Can negate Description
zone Untrust yes Matching if Zone contains ONE specific zone we are looking for
multizone Untrust, DMZ yes Matching if Zone contains ALL the zones we are looking for
multizone-any Servers, Untrust, DMZ yes Matching if Zone contains ANY of the specified zones (**)
any-or-multizone-any Servers, Untrust, DMZ yes Matching keyword "any" or ANY of the specified zones
any-zones --- --- Matching if any zones configured, not matching keyword "any"
any --- --- Only matching keyword "any"
anything --- --- Matching always

3.2 Matching examples

Looking for Example 1 Example 2
zone Untrust ---
multizone Untrust, DMZ ---
multizone-any Servers Servers, DMZ, LAN, Untrust
any-or-multizone-any any Servers, DMZ, LAN, Untrust
any-zones Trust, DMZ Untrust, WAN, DMZ, Servers
any any ---
anything * *

3.3 Not matching

Looking for Example 1 Example 2
zone DMZ, WAN Untrust, DMZ
multizone Untrust, WAN, LAN LAN, Untrust
multizone-any Internet any
any-or-multizone-any Internet Users
any-zones any ---
any Untrust, WAN Internet
anything --- ---

4 Service

4.1 Synapsa rules

Looking for Value Can negate Description
tcp.port 443 yes Matching exactly TCP / 443 (*)
tcp.range 500-600 yes Matching exactly TCP range 500-600 including (*)
tcp.port-range_geq 100 yes Matching when TCP port range is greater or equals 100
udp.port 53 yes Matching exactly UDP port 53 (*)
udp.range 4500-6500 yes Matching UDP range 4500-6000 including (*)
udp.port-range_geq 100 yes Matching when UDP port range is greater or equals 100
port 5060 yes Matching TCP or UDP port 5060 (*)
port-range 5000-6500 yes Matching TCP or UDP range 5000-6000 including (*)
port-range_geq 100 yes Matching when TCP or UDP port range is greater or equals 100
any-services --- --- Matching any configured service, but not word "any"
any --- --- Only matching "any"
app-default --- --- Only matching "app-default"
anything --- --- Matching always

4.2 Matching examples

Looking for Example 1 Example 2
tcp.port tcp/443 tcp/443, udp/500
tcp.range tcp/500-600 tcp/500-600, udp/500
tcp.port-range_geq tcp/500-600 udp/300-400
udp.port udp/53 tcp/500-600, udp/53
udp.range udp/4500-6500 udp/4500-6500, udp/53
udp.port-range_geq udp/700-1000 udp/20-120
port tcp/5060, tcp/5070 udp/5060, tcp/21
port-range udp/5000-6500 udp/5000-6500, tcp/700-960
port-range_geq tcp/100-200 udp/100-200
any-services tcp/123, tcp/443, udp/100-200 tcp/123, tcp/443
any any ---
app-default
anything * *

4.3 Not matching

Looking for Example 1 Example 2
tcp.port tcp/400-500 tcp/22,udp/500
tcp.range tcp/501-600, udp/500 tcp/501-600
tcp.port-range_geq tcp/50-100 udp/100-1500
udp.port udp/500 any
udp.range udp/4500-6499 udp/4500-6499, tcp/21
udp.port-range_geq tcp/20-120 udp/40-90
port tcp/21 tcp/5070
port-range udp/5002-5010 udp/5001-6500
port-range_geq tcp/400-450 tcp/400-450
any-services any ---
any tcp/123, udp/100-200 tcp/443
app-default
anything --- ---

5 Logging

5.1 Synapsa rules

Looking for Value Can negate Description
Log-start.enabled Yes yes Matching if rule has "log-start = yes"
Log-start.enabled No yes Matching if rule has "log-start = no" or no "log-start = yes" found
Log-end.enabled Yes yes Matching if rule has "log-end = yes"
Log-end.enabled No yes Matching if rule has "log-end = yes"
Log forwarding Disabled --- Matching if Log Forwarding is NOT enabled
Log forwarding Enabled --- Matching if Log Forwarding is enabled, no mather what profile
Log forwarding.profile To-Panorama yes Matching if logging profile is exactly the entered value

5.2 Matching examples

Looking for Example 1 Example 2
Log-start.enabled log-start=yes
Log-start.enabled log-start=no no log-start found
Log-end.enabled log-end=yes
Log-end.enabled log-end=no no log-end found
Log forwarding log-setting not found
Log forwarding
Log forwarding.profile log-setting=To-Panorama

5.3 Not matching

Looking for Example 1 Example 2
Log-start.enabled log-start=no no log-start found
Log-start.enabled log-start=yes
Log-end.enabled log-end=no
Log-end.enabled log-end=yes
Log forwarding log-setting=To-Panorama log-setting=Profile1
Log forwarding
Log forwarding.profile log-setting not found

Not found means, that the xml item is not present for the specific security policy in the API response.


6 Security profile group / profiles

6.1 Synapsa rules

Looking for Value Can negate Description
Profile.type Group / Profiles --- Dropdown menu, need to select Group or Profiles
group.exact grp_strict --- Matching when profile.settings group member equals "grp.strict"
group-any-of grp_strict, grp_alert --- Matching when group is set to any of listed
disabled --- --- Matching when rule has no security profile or group assigned
enabled --- --- Matching when rule has ANY security profile or group assigned
anything --- --- Matching always
profile.antivirus value / none / any-of /anything Value / yes
Any-of / yes
Value - match exact name of the profile. example: value = prof1
None - match when no profile enabled
Any-of - match when profile has one of the user specified values
Anything - always match
profile.vulnerability value / none / anything / any-of Value / yes
Any-of / yes
Same logic as above
profile.anti-spyware value / none / anything / any-of Value / yes
Any-of / yes
Same logic as above
profile.url-filtering value / none / anything / any-of Value / yes
Any-of / yes
Same logic as above
profile.file-blocking value / none / anything / any-of Value / yes
Any-of / yes
Same logic as above
profile.data-filtering value / none / anything / any-of Value / yes
Any-of / yes
Same logic as above
profile.wildfire value / none / anything / any-of Value / yes
Any-of / yes
Same logic as above

6.2 Matching examples

Looking for Example 1 Example 2
Profile.type
group.exact
group-any-of grp_strict grp_alert
disabled
enabled
anything
profile.antivirus <virus loc="FW1"><member loc="FW1">prof1</member></virus>
profile.vulnerability Same logic as above
profile.anti-spyware Same logic as above
profile.url-filtering Same logic as above
profile.file-blocking Same logic as above
profile.data-filtering Same logic as above
profile.wildfire Same logic as above

6.3 Not matching

Looking for Example 1 Example 2
Profile.type
group.exact no profile-setting found
group-any-of grp_low
disabled
enabled
anything
profile.antivirus <virus loc="FW1"><member loc="FW1">NP</member></virus> No <virus> XML item in the API response
profile.vulnerability Same logic as above Same logic as above
profile.anti-spyware Same logic as above Same logic as above
profile.url-filtering Same logic as above Same logic as above
profile.file-blocking Same logic as above Same logic as above
profile.data-filtering Same logic as above Same logic as above
profile.wildfire Same logic as above Same logic as above

All the profile names are not case sensitive.
Value is user input. "None" and "Anything" are pre-defined values


7 Action

7.1 Synapsa rules

Looking for Value Can negate Description
allow --- --- Matching Allow
not-allow --- --- Matching anything else except Allow, Deny, Drop, Reset Client, Reset server, Reset both client and server

7.2 Matching examples

Looking for Example 1 Example 2
allow Allow ---
not-allow Drop Deny

7.3 Not matching

Looking for Example 1 Example 2
allow Drop Deny
not-allow Allow ---

8 Allowed EDL lists

Looking for Value Can negate Description
EDL name Name your Lists --- Enter External Dynamic Lists names, which will be added for IP Address matching. By default all EDLs are skipped.

9 Notes

  1. All the keywords for security zone are case insensitive.
  2. Logical operator between conditions is AND, meaning all the conditions have to be True to make the whole auditor rule to be True.
  3. Matching values for every line is in bold.

(*) Condition will match, if one of the objects in the specified field is matching the criteria.

(**) You can specify a single value, if you want to only match, if zone contains your keyword exclusively.