https://live.paloaltonetworks.com/t5/general-topics/policy-rules-order/m-p/128447#M46703 <P>Hi,</P><P>&nbsp;</P><P>For the security and NAT it is will go in order. My guess for rest of the sub tabs as well.&nbsp;</P><P>So security policy from top &gt; bottom until first match. If the NAT is configured same from&nbsp;top<SPAN> &gt; bottom. Traffic will be scanned from top&gt;bottom for every sub tabs if configured.</SPAN></P><P>&nbsp;</P> Wed, 23 Nov 2016 14:05:21 GMT TranceforLife 2016-11-23T14:05:21Z https://live.paloaltonetworks.com/t5/general-topics/policy-rules-order/m-p/128435#M46701 <P>Hi there,</P><P>&nbsp;</P><P>if we are going to the tab "Policy" we will see 7 different sub tabs. The tabs are:</P><P>&nbsp;</P><P>Security</P><P>NAT</P><P>QoS</P><P>PBF</P><P>App Override</P><P>Captive Portal</P><P>DoS Protection</P><P>&nbsp;</P><P>So I know for example that Security rules are always checked before NAT rules but whats about the rest? I spent planty of time google for this information but without success.</P> Wed, 23 Nov 2016 13:49:18 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-rules-order/m-p/128435#M46701 Rboehme 2016-11-23T13:49:18Z https://live.paloaltonetworks.com/t5/general-topics/policy-rules-order/m-p/128447#M46703 <P>Hi,</P><P>&nbsp;</P><P>For the security and NAT it is will go in order. My guess for rest of the sub tabs as well.&nbsp;</P><P>So security policy from top &gt; bottom until first match. If the NAT is configured same from&nbsp;top<SPAN> &gt; bottom. Traffic will be scanned from top&gt;bottom for every sub tabs if configured.</SPAN></P><P>&nbsp;</P> Wed, 23 Nov 2016 14:05:21 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-rules-order/m-p/128447#M46703 TranceforLife 2016-11-23T14:05:21Z https://live.paloaltonetworks.com/t5/general-topics/policy-rules-order/m-p/128452#M46704 <P>Maybe this would help:&nbsp;<A href="https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081</A></P> Wed, 23 Nov 2016 14:08:48 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-rules-order/m-p/128452#M46704 FJU-ITCS 2016-11-23T14:08:48Z https://live.paloaltonetworks.com/t5/general-topics/policy-rules-order/m-p/128805#M46730 <P>Do look at the packet flow process noted above. The general flow is:</P><P>&nbsp;</P><P>Routing lookup - &nbsp;This is needed to assign zones and know the egress interface</P><P>NAT - This occurs then to get the final ip addresses after NAT</P><P>Security policy check - now we have all the information to confirm if the flow is permitted</P><P>Deeper inspections - if permitted, we perform any deep inspections applied to the policy</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081</A></P> Thu, 24 Nov 2016 16:58:27 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-rules-order/m-p/128805#M46730 pulukas 2016-11-24T16:58:27Z