STEP 1: ADD a rule
Select “Policies” and click Add.
Enter a descriptive Name for the rule in the General tab.
Select a Rule Type.
STEP 2: Define the matching criteria for the source fields in the packet.
In the “Source tab”, set the source zone and specify a source IP Address or leave the value set to any.
In the “User tab”, specify a Source User or leave the value set to any.
STEP 3: Define the matching criteria for the destination fields in the packet.
In the “Destination tab”, set the Destination Zone.
Specify a Destination IP Address or leave the value set to any.
STEP 4: Specify the application the rule will allow or block.
In the “Applications tab”, Add the Application to safely enable.
You can select multiple applications or use application groups or application filters.
In the “Service/URL Category tab”, keep the Service set to application-default to ensure that any applications the rule allows are only allowed on their standard ports.
STEP 5: Define what action you want the firewall to take for traffic that matches the rule.
In the “Actions tab”, select an Action.
Configure the log settings.
By default, the rule is set to Log at Session End. You can clear this setting if you don’t want any logs generated when traffic matches this rule or select Log at Session Start for more detailed logging.
Select a Log Forwarding profile; e.g. Panorama, syslog or SIEM(Security information and event management).
Attach security profiles to enable the firewall to scan all allowed traffic for threats.
In the “Actions tab”, select Profiles from the Profile Type drop-down and then select the individual security profiles to attach to the rule.
Alternatively, select Group from the Profile Type drop-down and select a security Group Profile to attach.
Click on “OK” button to save the policy rule to the running configuration on the firewall
STEP 6: Save and apply the new configuration.
Save the policy rule to the running configuration on the firewall by clicking on Click Commit to save the new configuration.
STEP 6: Verification.
To verify the policy rule that matches a flow, you can use the GUI (image below) or you use the following CLI command:
test security-policy-match source <IP_address> destination <IP_address> destination port <port_number> protocol <protocol_number>
Author: Eric Uwonkunda Ngabonziza