Customers with devices that handle Protection Level 4 (P4) data according to the Berkeley Data Classification Standard are placed in a special high security device groups. These device groups are ewdc-high-security (Earl Warren Data Center firewall) campus-high-security (Campus/Users firewalls), sdsc-high-security (San Diego disaster recovery site), and sut-mdc-dc-high-security (Sutardja Dia Mini Data Center). These Device Groups contain default rules that are used to ensure vulnerability scanning occurs and to block bad actors. The rules apply only to subnets that have systems registered as containing P4 level data. If a vsys in one of the high security device groups has networks or zones without P4 data, it is the responsibility of the customer to put their own bad actor blocking policies in place for those areas. In doing so they will be able to utilize Shared Objects such as Address Groups and URL Lists to do so.
The default rules for the high security device groups:
- Allow access from the ISO vulnerability scanners
- Block traffic to and from bad IP addresses as determined by Palo Alto and our own threat feeds
- Block traffic to known command and control, malware, phising, and ransomware IP addresses as well as a list of sits known to be targeting campus users.
- Allow OS updates for both Apple and Microsoft products