Security rule allows any application on Palo Alto Networks devices
Description
This policy detects whether security rules in Palo Alto Networks devices are defined using 'any' instead of with specific applications. Setting the 'application' attribute to 'any' in security rules can lead to overly permissive configurations, potentially allowing traffic that should be inspected or blocked.
Code Example
yaml
- name: Ensure application is defined specifically in security rules
paloaltonetworks.panos.panos_security_rule:
name: "example-rule"
application: ['web-browsing', 'ssl']Remediation
Palo Alto Networks
- Resource: panos_security_rule
- Attribute: application
To mitigate this issue, define the application attribute in your panos_security_rule resources with specific applications instead of 'any'. Specifying applications enhances security by ensuring that only traffic corresponding to the defined applications is matched by the rule.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1287 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Ansible |
| Checkov ID | CKV_PAN_5 |