https://live.paloaltonetworks.com/t5/general-topics/re-evaluating-current-structure/m-p/26171#M19108 <HTML><HEAD></HEAD><BODY><P>If that's your policy, then go for it.</P><P></P><P>I work the other way around - I do three rules, but the final one is an allow any/any - but email me a report about it so I can slowly close loopholes.</P><P></P><P>I find that leads to less complaints when Fred Nerks favourite, business critical application suddenly stops working. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Thu, 07 Mar 2013 21:44:09 GMT darren_g 2013-03-07T21:44:09Z https://live.paloaltonetworks.com/t5/general-topics/re-evaluating-current-structure/m-p/26168#M19105 <HTML><HEAD></HEAD><BODY><P>I am currently managing users via AD groups but need a more granular approach.&nbsp; I recently added a BYOD device manager to my network.&nbsp; It divides my 2 main groups using a specific IP range.&nbsp; If I use this method to manage users I will probably have to reset all my policies.&nbsp; My question is should I start by blocking all processes then open just what we need.&nbsp; Which rule should go first?</P><P>I have Students and faculy-Staff</P><P>Faculty-Staff can have network access, printers etc.&nbsp;&nbsp; social media, streaming media, Netflix etc</P><P>Students with Auth machines can have network share access</P><P>No Social Media, games, (all the usual blocks)&nbsp; limited (QOS) streaming media, no Netflix, Hulu TV. </P><P>What rules should I start with</P></BODY></HTML> Wed, 06 Mar 2013 03:04:21 GMT https://live.paloaltonetworks.com/t5/general-topics/re-evaluating-current-structure/m-p/26168#M19105 MemphisBrothers 2013-03-06T03:04:21Z https://live.paloaltonetworks.com/t5/general-topics/re-evaluating-current-structure/m-p/26169#M19106 <HTML><HEAD></HEAD><BODY><P>Depends on how savage you want to be.</P><P></P><P>If you want to work up from a "deny everything" scenario, I would start with two rules for each affected zone (facility &amp; students) or IP range.</P><P></P><P>First rule - allow selected applications. Remember, you need to start with the most OPEN rule first, because rules are processed sequentially, and if you make your first rule "deny everything", then all traffic will hit this rule, match, and nothing else will be processed.</P><P></P><P>Actually, you can do it with three rules - I'd do something like this</P><P></P><P>Source: Facility zone/IP range - Allow : required apps</P><P>Source : Student zone/IP range - Allow : required apps</P><P>Source : Any - Deny : Any</P><P></P><P>That way, anything which doesn't match the first two rules rull fall through to the "deny" rule and be blocked. The most open rule (the faculty one) should be the first security rule in your list, then the next most restrictive one (the student rule), then the complete deny rule.</P><P></P><P>If you want to be more open, it's a little more complex.</P></BODY></HTML> Thu, 07 Mar 2013 00:35:36 GMT https://live.paloaltonetworks.com/t5/general-topics/re-evaluating-current-structure/m-p/26169#M19106 darren_g 2013-03-07T00:35:36Z https://live.paloaltonetworks.com/t5/general-topics/re-evaluating-current-structure/m-p/26170#M19107 <HTML><HEAD></HEAD><BODY><P>It is a step.&nbsp; We have Spring Break coming up.&nbsp; Perfect time to re design the policies.&nbsp; I'll start with the Scorched earth policy and open from there.</P></BODY></HTML> Thu, 07 Mar 2013 15:01:23 GMT https://live.paloaltonetworks.com/t5/general-topics/re-evaluating-current-structure/m-p/26170#M19107 MemphisBrothers 2013-03-07T15:01:23Z https://live.paloaltonetworks.com/t5/general-topics/re-evaluating-current-structure/m-p/26171#M19108 <HTML><HEAD></HEAD><BODY><P>If that's your policy, then go for it.</P><P></P><P>I work the other way around - I do three rules, but the final one is an allow any/any - but email me a report about it so I can slowly close loopholes.</P><P></P><P>I find that leads to less complaints when Fred Nerks favourite, business critical application suddenly stops working. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Thu, 07 Mar 2013 21:44:09 GMT https://live.paloaltonetworks.com/t5/general-topics/re-evaluating-current-structure/m-p/26171#M19108 darren_g 2013-03-07T21:44:09Z