topic Security Profiles on Deny Rules in General Topics

Security Profiles on Deny Rules

JohnJones — Mon, 25 Mar 2019 18:38:22 GMT

What is the best practice for adding security profiles to deny rules? I like to add the URL profile to deny rules so I can see what URLs are being denied. Who else adds security profiles to the deny rules and what benefit do you get? Has anyone had an issue with dataplane resources being consumed by using security profiles in deny rules? -Thanks!

Re: Security Profiles on Deny Rules

Remo — Mon, 25 Mar 2019 19:08:55 GMT

Hi @JohnJones

Are you sure that you have URL logs from rules that have the another action than "allow"?

Re: Security Profiles on Deny Rules

OtakarKlier — Mon, 25 Mar 2019 21:21:06 GMT

Hello,

There is no reason to have these on deny rules as they wont give you any real info (since they are denied). Also thye will just eat up CPU. I only put security profiles on allow policies.

Regards,

Re: Security Profiles on Deny Rules

Remo — Mon, 25 Mar 2019 22:01:19 GMT

@OtakarKlier wrote:
There is no reason to have these on deny rules as they wont give you any real info (since they are denied).

That's what I actually meant with my question 😉

@OtakarKlier wrote:
Also thye will just eat up CPU. I only put security profiles on allow policies.

This one I think is partly true. The session will be denied based on the security policy criteria. So for example if there is a deny rule based on zones, IPs and/or ports there won't be anything left that can be processed by the content processors (FPGAs). If you have a deny rule based on applications then there will probably some packets that can be checked with secueity profiles.