topic Re: Rule Order Best Practice in Next-Generation Firewall Discussions

Rule Order Best Practice

AlexMcCreery — Sun, 24 Nov 2024 03:10:45 GMT

We recently migrated to the Palo Alto Firewalls. I am looking for best practice/recommendations on how to properly order firewall rules. We have all our block rules first (geoblocking, malicious sites, specific apps, etc) up top. But what about the rest?

Is it supposed to be more defined rules (specific ip to ip) up top? Do general application rules go towards the bottom (ex: any source to any destination using netflix)?

My thought is to put all the specific rules on top and leave the general/more open ones towards the bottom.

This would go for all sections:

Shared (overall) Pre-Rules blocks and specific rules

Shared (overall) Post-Rules more generic open rules/apps

Specific FWs (pre rules) - more specific for site rules and apps

Specific FWs (post rules) - more generic open rules/apps

Is there a better way?

Re: Rule Order Best Practice

OtakarKlier — Mon, 25 Nov 2024 20:13:17 GMT

Hello,

There are many methods to organizing policies and sometimes its gets very complicated. I do something similar to what you have except I dont use Panorama:

Top rules are my global blocks
specific policies to/from
broad/generic policies for large groups etc.
DENY ALL

Sometimes it wont work out depending on the logic, top down left to right. Best is to check and see if you already have a policy in place or if you need a new one. Here is a default base config I created with some of this in mind, block first, allow windows updates, then maybe more specific etc. Check the logs to ensure the proper policy is getting used when testing out the traffic.

https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501

Regards,