The Palo Alto Networks security platform must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Description

<VulnDiscussion>A deny-all, permit-by-exception network communications traffic policy ensures that only those connections that are essential and approved are allowed. As a managed boundary interface between networks, the Palo Alto Networks security platform must block all inbound and outbound network traffic unless a policy filter is installed to explicitly allow it. The allow policy filters must comply with the site's security policy. A deny-all, permit–by-exception network communications traffic policy ensures that only those connections that are essential and approved are allowed. By default, there are two security policies on the Palo Alto Networks firewall: Allow traffic within the same zone (intra-zone) Deny traffic from one zone to another zone (inter-zone). No policy that circumvents the inter-zone policy is allowed. Traffic through the device is permitted by policies developed to allow only that specific traffic that the system or enclave requires.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>