Identify and configure Security policy match conditions, actions, and logging options.

Palo Alto Networks PCNSA Study Guide v10

Implicit vs Explicit

The two predefined interzone and intrazone rules are the only implicit rules on a Palo Alto firewall. Explicit rules are defined by an administrator and always are before the implicit rules. By default implicit rules are not logged (this is configurable) and explicit rules are logged (also configurable).

Shadow Rules

A shadow rule is a security policy that because of its placement will make other rules below it never match. This is generally because the upper rule is less specific than the rules that follow it. During a commit, if there is a shadow rule detected it will appear in a new Rule Shadow tab.

Security Rule Hit Count

There are three items tracked by PAN-OS for security rule hits.

  • Hit Count
  • Last Hit
  • First Hit