Security Rule in Palo Alto Networks devices with overly broad Source and Destination IPs
Description
This policy detects whether security rules in Palo Alto Networks devices use 'any' for both 'source_ip' and 'destination_ip' simultaneously. Configuring both source and destination IPs to 'any' in a security rule can lead to overly broad permissions, potentially exposing the network to unintended traffic. At least one of these attributes, either source_ip or destination_ip, should be set to a specific value other than 'any' to enforce more granular and secure traffic filtering.
Code Example
- name: Example
tasks:
- name: Example
paloaltonetworks.panos.panos_security_rule:
name: "example-rule"
- source_ip: ['any']
- destination_ip: ['any']
+ source_ip: ['192.168.1.0/24']
+ destination_ip: ['10.1.2.0/24']Remediation
Palo Alto Networks
- Resource: panos_security_rule
- Attributes: source_ip, destination_ip
To mitigate this risk, ensure that either the source_ip or destination_ip (or both) attributes in your panos_security_rule resources are configured with specific IP addresses or ranges instead of using any. This approach helps define precise and secure network traffic rules.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1289 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Ansible |
| Checkov ID | CKV_PAN_7 |