The paloalto header designation has the following format:
target:: paloalto from-zone [zone name] to-zone [zone name] [address family] [address objects]
- from-zone: static keyword, followed by the source zone
- to-zone: static keyword, followed by the destination zone
- address family: specifies the address family for the resulting filter
- inet: the filter should only render IPv4 addresses (default)
- inet6: the filter should only render IPv6 addresses
- mixed: the filter should render IPv4 and IPv6 addresses
- address objects: specifies whether custom address objects or
network/mask definitions are used in security policy source and
destination fields
- addr-obj: specifies address groups are used in the security policy source and destination fields (default)
- no-addr-obj: specifies network/mask definitions are used in the security policy source and destination fields
- action:: The action to take when matched. See Actions section for valid options.
- comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
- destination-address:: One or more destination address tokens.
- destination-port:: One or more service definition tokens.
- expiration:: stop rendering this term after specified date. YYYY-MM-DD
- icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
- logging:: Specify that this packet should be logged via syslog.
- name:: Name of the term.
- owner:: Owner of the term, used for organizational purposes.
- platform:: one or more target platforms for which this term should ONLY be rendered.
- protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
- source-address:: one or more source address tokens.
- source-port:: one or more service definition tokens.
- timeout:: specify application timeout. (default 60)
- accept
- count
- deny
- log
- reject
-
pan-application:: paloalto target only. Specify applications for the security policy which can be predefined applications (https://applipedia.paloaltonetworks.com/) and custom application objects.
-
Security Policy Service Setting
When no protocol is specified in the term, the service will be application-default.
When protocol is tcp or udp, and no source-port or destination-port is specified, the service will be custom service objects for the protocols and all ports (0-65535).
When protocol is tcp or udp, and a source-port or destination-port is specified, the service will be custom service objects for the protocols and ports.
pan-application can only be used when no protocol is specified in the term, or the protocols tcp and udp.
-