PaloAltoFW¶

Header Format¶

The paloalto header designation has the following format:

targets:
    paloalto: from-zone [zone name] to-zone [zone name] [address family] [address objects]

from-zone: static keyword, followed by the source zone
to-zone: static keyword, followed by the destination zone
address family: specifies the address family for the resulting filter
inet: the filter should only render IPv4 addresses (default)
inet6: the filter should only render IPv6 addresses
mixed: the filter should render IPv4 and IPv6 addresses
address objects: specifies whether custom address objects or network/mask definitions are used in security policy source and destination fields
addr-obj: specifies address groups are used in the security policy source and destination fields (default)
no-addr-obj: specifies network/mask definitions are used in the security policy source and destination fields
unique-term-prefixes: specifies whether each term name should be generated with unique prefixes. The unique prefix is a hexdigest of from_zone and to_zone fields.

pan-application:: paloalto target only. Specify applications for the security policy which can be predefined applications (https://applipedia.paloaltonetworks.com/) and custom application objects.
Security Policy Service Setting
- When no protocol is specified in the term, the service will be application-default.
- When protocol is tcp or udp, and no source-port or destination-port is specified, the service will be custom service objects for the protocols and all ports (0-65535).
- When protocol is tcp or udp, and a source-port or destination-port is specified, the service will be custom service objects for the protocols and ports.
- pan-application can only be used when no protocol is specified in the term, or the protocols tcp and udp.