Issue inability to change default rule behavior

[atav928]

Documentation link

https://pan.dev/access/api/prisma-access-config/post-sse-config-v-1-security-rules/

Describe the problem

Type: Non functional in real life situations on intrazone-default rule,

Details:

You do not allow an override of the default behavior for intra or inter-zone traffic. Most case scenarios this is fine, but we have a situation where we do not trust all network to communicate to all other networks that have passed authentication and now instead of just overriding the default behavior to match our needs we have to add another rule on top of it which is also problematic because we now have to do it in a Shared environment where in some cases we may not want it. This further complicates things. This is a bit of a nuance complaint I have been feeding to Palo Alto. Yes, most of the time your best practices are correct, but not always and we because of how you "TRUST" all networks that are authenticated and are considering them all intrazone we need to supersede these rules and deny networks from reaching other networks inside the "TRUST" environment to overcome this behavior.

This is somewhat similar to a single arm method when using VM-Series firewalls. Why are you:

• Restricting the ability to override a rule when it may not fit in our situation
• Restricting the ability to call an api to change that rule and accept that it is "not what you consider best practice", but may be what we need to secure our environment.

Suggested fix

Allow the ability to override default rules and if you must create a warning as if someone is overriding a default rule behavior there is usually a reason for it.

[sarette]

Opened engineering ticket ADI-17497 in response to this issue.