Security rule permits any service on Palo Alto Networks devices
Description
This policy detects whether security rules in Palo Alto Networks devices use the 'any' setting for the service attribute instead of specifying a particular service. Setting the 'service' attribute to 'any' can create overly permissive rules, potentially allowing uncontrolled or blocked traffic. On the other hand, configuring a specific value results in tighter control and specificity in traffic management.
Code Example
yaml
- name: Example
...
tasks:
- name: Example
paloaltonetworks.panos.panos_security_rule:
...
application: ['ssl']
- service: ['any'] # Service is any
+ service: ['http', 'https']Remediation
Palo Alto Networks
- Resource: panos_security_rule
- Attribute: service
To mitigate this issue, define specific services in security rules to enforce the intended access controls and enhance the overall security posture. Specify the service attribute in your panos_security_rule resources with exact service definitions, avoiding the use of any.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1288 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Ansible |
| Checkov ID | CKV_PAN_6 |