https://live.paloaltonetworks.com/t5/general-topics/policy-order/m-p/9440#M6925 <HTML><HEAD></HEAD><BODY><P>It was explained to me that each rule should have them. At least for how I was applying policies. You just want to make sure that each packet allowed through has policies that apply to your traffic at risk. If you have a rule that traffic matches on the top and you don't have any threat policies there then none will be applied because the traffic has already been permitted without. If I am incorrect in this understanding or was not clear enough please post further clarification.</P><P></P><P>From: jorge &lt;live@paloaltonetworks.com&lt;mailto:live@paloaltonetworks.com&gt;&gt; </P><P>Reply-To: live &lt;live@paloaltonetworks.com&lt;mailto:live@paloaltonetworks.com&gt;&gt; </P><P>To: Brad Spilde &lt;brad.spilde@daktronics.com&lt;mailto:brad.spilde@daktronics.com&gt;&gt; </P><P>Subject: <A href="https://live.paloaltonetworks.com/DevCenter"></A> Policy order <A href="https://live.paloaltonetworks.com/prpcsf-1mh-c2k"></A></P><P></P><P>Is it important to have the Antivus, Vulnerability and Anti-Spyware rule as the first policy?</P><P></P><P>thanks</P></BODY></HTML> Thu, 17 May 2012 20:35:44 GMT bspilde 2012-05-17T20:35:44Z https://live.paloaltonetworks.com/t5/general-topics/policy-order/m-p/9439#M6924 <HTML><HEAD></HEAD><BODY><P>Is it important to have the Antivus, Vulnerability and Anti-Spyware rule as the first policy?</P><P></P><P>thanks</P></BODY></HTML> Thu, 17 May 2012 18:41:03 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-order/m-p/9439#M6924 jorge 2012-05-17T18:41:03Z https://live.paloaltonetworks.com/t5/general-topics/policy-order/m-p/9440#M6925 <HTML><HEAD></HEAD><BODY><P>It was explained to me that each rule should have them. At least for how I was applying policies. You just want to make sure that each packet allowed through has policies that apply to your traffic at risk. If you have a rule that traffic matches on the top and you don't have any threat policies there then none will be applied because the traffic has already been permitted without. If I am incorrect in this understanding or was not clear enough please post further clarification.</P><P></P><P>From: jorge &lt;live@paloaltonetworks.com&lt;mailto:live@paloaltonetworks.com&gt;&gt; </P><P>Reply-To: live &lt;live@paloaltonetworks.com&lt;mailto:live@paloaltonetworks.com&gt;&gt; </P><P>To: Brad Spilde &lt;brad.spilde@daktronics.com&lt;mailto:brad.spilde@daktronics.com&gt;&gt; </P><P>Subject: <A href="https://live.paloaltonetworks.com/DevCenter"></A> Policy order <A href="https://live.paloaltonetworks.com/prpcsf-1mh-c2k"></A></P><P></P><P>Is it important to have the Antivus, Vulnerability and Anti-Spyware rule as the first policy?</P><P></P><P>thanks</P></BODY></HTML> Thu, 17 May 2012 20:35:44 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-order/m-p/9440#M6925 bspilde 2012-05-17T20:35:44Z https://live.paloaltonetworks.com/t5/general-topics/policy-order/m-p/9441#M6926 <HTML><HEAD></HEAD><BODY><P>You're right. I've gone ahead and applied them to all the policies.</P><P></P><P>Thank You!</P></BODY></HTML> Thu, 17 May 2012 20:37:44 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-order/m-p/9441#M6926 jorge 2012-05-17T20:37:44Z https://live.paloaltonetworks.com/t5/general-topics/policy-order/m-p/9442#M6927 <HTML><HEAD></HEAD><BODY><P>The security rules in PA devices is executed in top-down first-match order (similar to how acl's in cisco devices works).</P><P></P><P>Which gives that if you have a rule where you didnt enable antivirus etc and this rule is hit then the traffic hitting this rule wont be examined for viruses.</P><P></P><P>You can use the "test" command in cli to figure out which rule will be matched for which traffic.</P><P></P><P>A general recommendation is to use whitelisting instead of blacklisting (e.g. rules with which traffic you want to allow and then block as default) and when blacklisting is used make sure to make that as broad as possible while whitelisting should be as narrow as possible.</P><P></P><P>For example setting srczone:any is mostly a good thing for blacklists but often a bad thing for whitelists (security wise).</P></BODY></HTML> Thu, 17 May 2012 21:03:59 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-order/m-p/9442#M6927 mikand 2012-05-17T21:03:59Z