Security rules apply to all zones on Palo Alto Networks devices

Description

This policy detects whether security rules on Palo Alto Networks devices indiscriminately apply to all zones due to configuration of both 'source_zone' and 'destination_zone' to 'any'. This configuration can potentially lead to overly permissive rules and unintended access across network segments.

Code Example

yaml

- name: Example
  ...
  tasks:
    - name: Example
      paloaltonetworks.panos.panos_security_rule:
        ...
-        source_zone: ['any']
+        source_zone: ['outside']
-        destination_zone: ['any']
+        destination_zone: ['inside']

Remediation

Palo Alto Networks

Resource: panos_security_rule
Attributes: source_zone, destination_zone

To mitigate this issue, verify that each panos_security_rule specifies particular zones for both source_zone and destination_zone instead of using 'any'. This approach ensures targeted application of security rules, minimizing the risk of unintended traffic flow.

Secure Code Example:

Rule Details

Field	Value
ID	IAC-1299
Severity	MEDIUM
IaC Type	Ansible
Frameworks	Ansible
Checkov ID	CKV_PAN_17

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Security rules apply to all zones on Palo Alto Networks devices

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Security rules apply to all zones on Palo Alto Networks devices ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Security rules apply to all zones on Palo Alto Networks devices

Description

Code Example

Remediation

Rule Details

References