topic Re: security rule placement in General Topics

security rule placement

ce1028 — Sun, 08 Sep 2019 23:48:10 GMT

Hi All,

I have an outbound web-browsing rule, rule criteria is source zone (trust) destination zone (untrust) , application (web-browsing, ssl), service (tcp-80, tcp-443)

If you are going to create more application specific rules, does it makes more sense to put those rules AFTER the outbound web-browsing rule. For instance, say you're going to create a 4 additional rules, 1 for dropbox, 1 for facebook/twitter, 1 for youtube, and another for ms-update. Would it be a best/common practice to put these 4 rules after the outbound web-browsing rule?

To me it makes sense, since a lot of these applications have dependancy on web-browsing/ssl, but wanted to ask anyway.

Re: security rule placement

BPry — Mon, 09 Sep 2019 03:15:06 GMT

@ce1028,

It doesn't matter. When the application shifts away from web-browsing to, say dropbox-base, the entire rulebase gets re-analysed and the location of the policy allowing dropbox-base won't matter as long as it is above any deny policy that would match the traffic.

Re: security rule placement

RobinClayton — Mon, 09 Sep 2019 14:39:37 GMT

Personaly, I would put the more granular rules before less granualr rules. Just my thinking though.

Re: security rule placement

ce1028 — Mon, 09 Sep 2019 15:54:52 GMT

@BPry

Thanks for the reply. Yes agreed, it does not matter, but I was more curious as to what the best practice is from a processing standpoint

Very good point on all the rules getting re-evaluated. Is it safe to say, the most hit rules are better to be towards the top of the rulebase then, or due to firewall performance specs, it doesn't really matter?

Re: security rule placement

BPry — Mon, 09 Sep 2019 16:00:19 GMT

@ce1028,

Due to firewall processing specs it really doesn't matter if the rules are located towards the top or towards the bottom. The amount of time that it takes for a firewall with thousands of security policies to match the very first entry in the security rulebase versus the very last is not measurable without the use of full debug logging, and even then it's a negligable amount. Essentially PAN has accounted for any latency due to actually processing the policies by enforcing platform policy limits.

Re: security rule placement

ce1028 — Mon, 09 Sep 2019 16:29:18 GMT

thanks @BPry

Re: security rule placement

mahmoodm — Sat, 31 Jul 2021 07:50:48 GMT

Hi BPry,

Apologies for jumping into this thread.

Please could help me in understanding whether do we need any rule for web-browsing or https in order to allow the above applications.

What I understand is that they should work without the http and https rule.