Date published: 2020-06-08

Synapsa Firewall Auditor - Palo Alto documentation

1 Source or Destination IP

The same conditions apply for Source and Destination IP.

1.1 Synapsa rules

Looking for Value Description
exact.ip 192.168.1.50 Looking for exact IP in the address field (*)
exact.net 192.168.1.0/24 Looking for exact Network in the address field (*)
within.net 192.168.1.0/24 Looking for any IP or subnet within the net (*)
any-ip-address --- Matching if SRC/DST is any IP address, any networks, but not "any"
any --- Matching if SRC/DST is keyword "any"
anything --- Always matching

1.2 Matching examples

Looking for Example 1 Example 2
exact.ip 192.168.1.50 192.168.1.50, 10.12.50.2
exact.net 192.168.1.0/24 192.168.1.0/24, 10.12.50.2
within.net 192.168.1.20 192.168.1.64/26, 10.1.1.12
any-ip-address 10.12.50.12, 172.16.20.20 10.12.50.0/27, 172.16.20.20
any any ---
anything * *

1.3 Not matching

Looking for Example 1 Example 2
exact.ip 192.168.1.20 10.10.2.30
exact.net 192.168.1.2/24 10.10.2.30
within.net 192.168.2.50 10.15.2.30
any-ip-address any ---
any 10.12.50.0/27, 172.16.2.20 10.0.0.0/8
anything --- ---

2 Source or Destination Zone

The same conditions apply for Source and Destination Zone.

2.1 Synapsa rules

Looking for Value Description
zone Untrust Matching if Zone contains ONE specific zone we are looking for
multizone Untrust, DMZ Matching if Zone contains ALL the zones we are looking for
multizone-any Servers, Untrust, DMZ Matching if Zone contains ANY of the specified zones (**)
any-zones --- Matching if any zones configured, not matching keyword "any"
any --- Only matching keyword "any"
anything --- Always matching

2.2 Matching examples

Looking for Example 1 Example 2
zone Untrust ---
multizone Untrust, DMZ ---
multizone-any Servers Servers, DMZ, LAN, Untrust
any-zones Trust, DMZ Untrust, WAN, DMZ, Servers
any any ---
anything * *

2.3 Not matching

Looking for Example 1 Example 2
zone DMZ, WAN Untrust, DMZ
multizone Untrust, WAN, LAN LAN, Untrust
multizone-any Internet any
any-zones any ---
any Untrust, WAN Internet
anything --- ---

3 Service

3.1 Synapsa rules

Looking for Value Description
tcp.port 443 Matching exactly TCP / 443 (*)
tcp.range 500-600 Matching exactly TCP range 500-600 including (*)
tcp.port-range_geq 100 Matching when TCP port range is greater or equals 100
udp.port 53 Matching exactly UDP port 53 (*)
udp.range 4500-6500 Matching UDP range 4500-6000 including (*)
udp.port-range_geq 100 Matching when UDP port range is greater or equals 100
port 5060 Matching TCP or UDP port 5060 (*)
port-range 5000-6500 Matching TCP or UDP range 5000-6000 including (*)
port-range_geq 100 Matching when TCP or UDP port range is greater or equals 100
any-services --- Matching any configured service, but not word "any"
any --- Only matching "any"
anything --- Always matching

3.2 Matching examples

Looking for Example 1 Example 2
tcp.port tcp/443 tcp/443, udp/500
tcp.range tcp/500-600 tcp/500-600, udp/500
tcp.port-range_geq tcp/500-600 udp/300-400
udp.port udp/53 tcp/500-600, udp/53
udp.range udp/4500-6500 udp/4500-6500, udp/53
udp.port-range_geq udp/700-1000 udp/20-120
port tcp/5060, tcp/5070 udp/5060, tcp/21
port-range udp/5000-6500 udp/5000-6500, tcp/700-960
port-range_geq tcp/100-200 udp/100-200
any-services tcp/123, tcp/443, udp/100-200 tcp/123, tcp/443
any any ---
anything * *

3.3 Not matching

Looking for Example 1 Example 2
tcp.port tcp/400-500 tcp/22,udp/500
tcp.range tcp/501-600, udp/500 tcp/501-600
tcp.port-range_geq tcp/50-100 udp/100-1500
udp.port udp/500 any
udp.range udp/4500-6499 udp/4500-6499, tcp/21
udp.port-range_geq tcp/20-120 udp/40-90
port tcp/21 tcp/5070
port-range udp/5002-5010 udp/5001-6500
port-range_geq tcp/400-450 tcp/400-450
any-services any ---
any tcp/123, udp/100-200 tcp/443
anything --- ---

4 Action

4.1 Synapsa rules

Looking for Value Description
allow --- Matching Allow
not-allow --- "Matching anything else except Allow
Deny, Drop, Reset Client, Reset server, Reset both client and server"

4.2 Matching examples

Looking for Example 1 Example 2
allow Allow ---
not-allow Drop Deny

4.3 Not matching

Looking for Example 1 Example 2
allow Drop Deny
not-allow Allow ---

5 Allowed EDL lists

Looking for Value Description
EDL name Name your Lists Enter External Dynamic Lists names, which will be added for IP Address matching. By default all EDLs are skipped.

6 Notes

  1. All the keywords for security zone are case insensitive.
  2. Logical operator between conditions is AND, meaning all the conditions have to be True to make the whole auditor rule to be True.
  3. Matching values for every line is in bold.

(*) Condition will match, if one of the objects in the specified field is matching the criteria.

(**) You can specify a single value, if you want to only match, if zone contains your keyword exclusively.

←  Back to Guides and Datasheets