Date published: 2020-06-08
Synapsa Firewall Auditor - Palo Alto documentation
1 Tag
1.1 Synapsa rules
| Looking for | Value | Can negate | Description |
|---|---|---|---|
| tag.exact | skip-test | yes | Matching if exact and not other tag is attached to the rule |
| tag.multi | test, skip | yes | Matching if ALL the tags are attached tot the rule |
| tag.multi-any | test, skip | yes | Matching if ANY of the tags are attached to the rule |
| tag.no | --- | yes | Matching if NO tag is attached to the rule |
| anything | --- | --- | Matching always |
1.2 Matching examples
| Looking for | Example 1 | Example 2 |
|---|---|---|
| tag.exact | skip | |
| tag.multi | test, skip | skip, test, prio1 |
| tag.multi-any | redflag, test, external, skip | blue, test, external, skip, red |
| tag.no | ||
| anything | * | * |
1.3 Not matching
| Looking for | Example 1 | Example 2 |
|---|---|---|
| tag.exact | audit | audit, prio1 |
| tag.multi | ||
| tag.multi-any | red, blue | |
| tag.no | skip | skip, test, prio1 |
| anything | --- | --- |
2 Source or Destination IP
The same conditions apply for Source and Destination IP.
2.1 Synapsa rules
| Looking for | Value | Can negate | Description |
|---|---|---|---|
| exact.ip | 192.168.1.50 | yes | Looking for exact IP in the address field (*) |
| exact.net | 192.168.1.0/24 | yes | Looking for exact Network in the address field (*) |
| within.net | 192.168.1.0/24 | yes | Looking for any IP or subnet within the net (*) |
| any-ip-address | --- | --- | Matching if SRC/DST is any IP address, any networks, but not "any" |
| any | --- | --- | Matching if SRC/DST is keyword "any" |
| anything | --- | --- | Matching always |
| exact.region | SK | yes | Region MUST be exact SK |
| within.region | SK, CZ, EU | yes | SK, CZ or EU, has to be within the values in the policy |
| multi.region | SK, CZ, EU | yes | All three must be in regions |
2.2 Matching examples
| Looking for | Example 1 | Example 2 |
|---|---|---|
| exact.ip | 192.168.1.50 | 192.168.1.50, 10.12.50.2 |
| exact.net | 192.168.1.0/24 | 192.168.1.0/24, 10.12.50.2 |
| within.net | 192.168.1.20 | 192.168.1.64/26, 10.1.1.12 |
| any-ip-address | 10.12.50.12, 172.16.20.20 | 10.12.50.0/27, 172.16.20.20 |
| any | any | --- |
| anything | * | * |
| exact.region | SK | |
| within.region | SK, CZ | SK, CN, RU, USA, UK |
| multi.region | SK, RU, CN, CZ, EU | SK, RU, CN, CZ, EU, USA |
2.3 Not matching
| Looking for | Example 1 | Example 2 |
|---|---|---|
| exact.ip | 192.168.1.20 | 10.10.2.30 |
| exact.net | 192.168.1.2/24 | 10.10.2.30 |
| within.net | 192.168.2.50 | 10.15.2.30 |
| any-ip-address | any | --- |
| any | 10.12.50.0/27, 172.16.2.20 | 10.0.0.0/8 |
| anything | --- | --- |
| exact.region | CZ | EU |
| within.region | CN, RU | |
| multi.region | SK, CZ, USA, RU | EU, CZ, USA, RU |
3 Source or Destination Zone
The same conditions apply for Source and Destination Zone.
3.1 Synapsa rules
| Looking for | Value | Can negate | Description |
|---|---|---|---|
| zone | Untrust | yes | Matching if Zone contains ONE specific zone we are looking for |
| multizone | Untrust, DMZ | yes | Matching if Zone contains ALL the zones we are looking for |
| multizone-any | Servers, Untrust, DMZ | yes | Matching if Zone contains ANY of the specified zones (**) |
| any-or-multizone-any | Servers, Untrust, DMZ | yes | Matching keyword "any" or ANY of the specified zones |
| any-zones | --- | --- | Matching if any zones configured, not matching keyword "any" |
| any | --- | --- | Only matching keyword "any" |
| anything | --- | --- | Matching always |
3.2 Matching examples
| Looking for | Example 1 | Example 2 |
|---|---|---|
| zone | Untrust | --- |
| multizone | Untrust, DMZ | --- |
| multizone-any | Servers | Servers, DMZ, LAN, Untrust |
| any-or-multizone-any | any | Servers, DMZ, LAN, Untrust |
| any-zones | Trust, DMZ | Untrust, WAN, DMZ, Servers |
| any | any | --- |
| anything | * | * |
3.3 Not matching
| Looking for | Example 1 | Example 2 |
|---|---|---|
| zone | DMZ, WAN | Untrust, DMZ |
| multizone | Untrust, WAN, LAN | LAN, Untrust |
| multizone-any | Internet | any |
| any-or-multizone-any | Internet | Users |
| any-zones | any | --- |
| any | Untrust, WAN | Internet |
| anything | --- | --- |
4 Service
4.1 Synapsa rules
| Looking for | Value | Can negate | Description |
|---|---|---|---|
| tcp.port | 443 | yes | Matching exactly TCP / 443 (*) |
| tcp.range | 500-600 | yes | Matching exactly TCP range 500-600 including (*) |
| tcp.port-range_geq | 100 | yes | Matching when TCP port range is greater or equals 100 |
| udp.port | 53 | yes | Matching exactly UDP port 53 (*) |
| udp.range | 4500-6500 | yes | Matching UDP range 4500-6000 including (*) |
| udp.port-range_geq | 100 | yes | Matching when UDP port range is greater or equals 100 |
| port | 5060 | yes | Matching TCP or UDP port 5060 (*) |
| port-range | 5000-6500 | yes | Matching TCP or UDP range 5000-6000 including (*) |
| port-range_geq | 100 | yes | Matching when TCP or UDP port range is greater or equals 100 |
| any-services | --- | --- | Matching any configured service, but not word "any" |
| any | --- | --- | Only matching "any" |
| app-default | --- | --- | Only matching "app-default" |
| anything | --- | --- | Matching always |
4.2 Matching examples
| Looking for | Example 1 | Example 2 |
|---|---|---|
| tcp.port | tcp/443 | tcp/443, udp/500 |
| tcp.range | tcp/500-600 | tcp/500-600, udp/500 |
| tcp.port-range_geq | tcp/500-600 | udp/300-400 |
| udp.port | udp/53 | tcp/500-600, udp/53 |
| udp.range | udp/4500-6500 | udp/4500-6500, udp/53 |
| udp.port-range_geq | udp/700-1000 | udp/20-120 |
| port | tcp/5060, tcp/5070 | udp/5060, tcp/21 |
| port-range | udp/5000-6500 | udp/5000-6500, tcp/700-960 |
| port-range_geq | tcp/100-200 | udp/100-200 |
| any-services | tcp/123, tcp/443, udp/100-200 | tcp/123, tcp/443 |
| any | any | --- |
| app-default | ||
| anything | * | * |
4.3 Not matching
| Looking for | Example 1 | Example 2 |
|---|---|---|
| tcp.port | tcp/400-500 | tcp/22,udp/500 |
| tcp.range | tcp/501-600, udp/500 | tcp/501-600 |
| tcp.port-range_geq | tcp/50-100 | udp/100-1500 |
| udp.port | udp/500 | any |
| udp.range | udp/4500-6499 | udp/4500-6499, tcp/21 |
| udp.port-range_geq | tcp/20-120 | udp/40-90 |
| port | tcp/21 | tcp/5070 |
| port-range | udp/5002-5010 | udp/5001-6500 |
| port-range_geq | tcp/400-450 | tcp/400-450 |
| any-services | any | --- |
| any | tcp/123, udp/100-200 | tcp/443 |
| app-default | ||
| anything | --- | --- |
5 Logging
5.1 Synapsa rules
| Looking for | Value | Can negate | Description |
|---|---|---|---|
| Log-start.enabled | Yes | yes | Matching if rule has "log-start = yes" |
| Log-start.enabled | No | yes | Matching if rule has "log-start = no" or no "log-start = yes" found |
| Log-end.enabled | Yes | yes | Matching if rule has "log-end = yes" |
| Log-end.enabled | No | yes | Matching if rule has "log-end = yes" |
| Log forwarding | Disabled | --- | Matching if Log Forwarding is NOT enabled |
| Log forwarding | Enabled | --- | Matching if Log Forwarding is enabled, no mather what profile |
| Log forwarding.profile | To-Panorama | yes | Matching if logging profile is exactly the entered value |
5.2 Matching examples
| Looking for | Example 1 | Example 2 |
|---|---|---|
| Log-start.enabled | log-start=yes | |
| Log-start.enabled | log-start=no | no log-start found |
| Log-end.enabled | log-end=yes | |
| Log-end.enabled | log-end=no | no log-end found |
| Log forwarding | log-setting not found | |
| Log forwarding | ||
| Log forwarding.profile | log-setting=To-Panorama |
5.3 Not matching
| Looking for | Example 1 | Example 2 |
|---|---|---|
| Log-start.enabled | log-start=no | no log-start found |
| Log-start.enabled | log-start=yes | |
| Log-end.enabled | log-end=no | |
| Log-end.enabled | log-end=yes | |
| Log forwarding | log-setting=To-Panorama | log-setting=Profile1 |
| Log forwarding | ||
| Log forwarding.profile | log-setting not found |
Not found means, that the xml item is not present for the specific security policy in the API response.
6 Security profile group / profiles
6.1 Synapsa rules
| Looking for | Value | Can negate | Description |
|---|---|---|---|
| Profile.type | Group / Profiles | --- | Dropdown menu, need to select Group or Profiles |
| group.exact | grp_strict | --- | Matching when profile.settings group member equals "grp.strict" |
| group-any-of | grp_strict, grp_alert | --- | Matching when group is set to any of listed |
| disabled | --- | --- | Matching when rule has no security profile or group assigned |
| enabled | --- | --- | Matching when rule has ANY security profile or group assigned |
| anything | --- | --- | Matching always |
| profile.antivirus | value / none / any-of /anything | Value / yes Any-of / yes |
Value - match exact name of the profile. example: value = prof1 None - match when no profile enabled Any-of - match when profile has one of the user specified values Anything - always match |
| profile.vulnerability | value / none / anything / any-of | Value / yes Any-of / yes |
Same logic as above |
| profile.anti-spyware | value / none / anything / any-of | Value / yes Any-of / yes |
Same logic as above |
| profile.url-filtering | value / none / anything / any-of | Value / yes Any-of / yes |
Same logic as above |
| profile.file-blocking | value / none / anything / any-of | Value / yes Any-of / yes |
Same logic as above |
| profile.data-filtering | value / none / anything / any-of | Value / yes Any-of / yes |
Same logic as above |
| profile.wildfire | value / none / anything / any-of | Value / yes Any-of / yes |
Same logic as above |
6.2 Matching examples
| Looking for | Example 1 | Example 2 |
|---|---|---|
| Profile.type | ||
| group.exact | ||
| group-any-of | grp_strict | grp_alert |
| disabled | ||
| enabled | ||
| anything | ||
| profile.antivirus | <virus loc="FW1"><member loc="FW1">prof1</member></virus> | |
| profile.vulnerability | Same logic as above | |
| profile.anti-spyware | Same logic as above | |
| profile.url-filtering | Same logic as above | |
| profile.file-blocking | Same logic as above | |
| profile.data-filtering | Same logic as above | |
| profile.wildfire | Same logic as above |
6.3 Not matching
| Looking for | Example 1 | Example 2 |
|---|---|---|
| Profile.type | ||
| group.exact | no profile-setting found | |
| group-any-of | grp_low | |
| disabled | ||
| enabled | ||
| anything | ||
| profile.antivirus | <virus loc="FW1"><member loc="FW1">NP</member></virus> | No <virus> XML item in the API response |
| profile.vulnerability | Same logic as above | Same logic as above |
| profile.anti-spyware | Same logic as above | Same logic as above |
| profile.url-filtering | Same logic as above | Same logic as above |
| profile.file-blocking | Same logic as above | Same logic as above |
| profile.data-filtering | Same logic as above | Same logic as above |
| profile.wildfire | Same logic as above | Same logic as above |
All the profile names are not case sensitive.
Value is user input. "None" and "Anything" are pre-defined values
7 Action
7.1 Synapsa rules
| Looking for | Value | Can negate | Description |
|---|---|---|---|
| allow | --- | --- | Matching Allow |
| not-allow | --- | --- | Matching anything else except Allow, Deny, Drop, Reset Client, Reset server, Reset both client and server |
7.2 Matching examples
| Looking for | Example 1 | Example 2 |
|---|---|---|
| allow | Allow | --- |
| not-allow | Drop | Deny |
7.3 Not matching
| Looking for | Example 1 | Example 2 |
|---|---|---|
| allow | Drop | Deny |
| not-allow | Allow | --- |
8 Allowed EDL lists
| Looking for | Value | Can negate | Description |
|---|---|---|---|
| EDL name | Name your Lists | --- | Enter External Dynamic Lists names, which will be added for IP Address matching. By default all EDLs are skipped. |
9 Notes
- All the keywords for security zone are case insensitive.
- Logical operator between conditions is AND, meaning all the conditions have to be True to make the whole auditor rule to be True.
- Matching values for every line is in bold.
(*) Condition will match, if one of the objects in the specified field is matching the criteria.
(**) You can specify a single value, if you want to only match, if zone contains your keyword exclusively.