# of rules vs simplicity

Reply
L0 Member

# of rules vs simplicity

Hi all,

 

I'm currently reviewing our PA5250 security policy ruleset and I'm doubting the best way to handle it. We have about 800 rules and lots of those rules combine functions. For example a server is allowed to FTP to ip a.b.c.d and should be allowed to ssl to ip w.x.y.z. At the moment this is combined in one rule which means that servers is also allowed to FTP to w.x.y.z and to SSL to the first IP. 

If I were to split up all those kind of rules I would at least double the number of rules. I know the limit of # of rules for the 5250 is 40000 so we are no where near that. 

My questions:

- from a management perspective is it better to have lots of small rules or lots of "combined" rules

- from a resource/throughput perspective: is it better to have for example 10000 simple rules (1 source - 1 destination) or 2000 complex rules (multiple source and destionations)

 

Thanks in advance for your opinion on this topic 

Tags (2)
Community Manager

Re: # of rules vs simplicity

For the chassis' performance neither situations have a huge impact, from a management perspective more rules is more complexity, but this helps the third view: security, how secure are combined rules? it also depends on your stance, open and rely on security profiles to stop threats or restrictive and preventing threats before they happen to help the logistical nightmare of managing hundreds or thousands of rules, there's a few things that can help like tagging your zones which helps filtering your view of the policy to the task at hand. Rule Usage and the PAN-OS 9.0 'policy optimizer' tool can help determine which rules are being used or can be improved

Help the community: Like helpful comments and mark solutions
Reaper out
L6 Presenter

Re: # of rules vs simplicity

from a management prospective, 1 policy, allow all.

from a security prospective I would not hesitate to split your example into 2 seperate policies regardles of the sums...

It maybe that your servers listed are not listening on the other ports but for me it's "peace of mind" and confidence in saying "No.. Thats not possible". 

 

The filter option works for me to only see the policies needed.

 

there are of course many reasons to combine policies but not for ease of management over security.

 

 

L6 Presenter

Re: # of rules vs simplicity

This is a great question, and @reaper  and @MickBall  both had great feedback.  Another thing to consider is support ability and technical capability of the staff administering the box.  If the techs looking into potential firewall problems are senior staff with 9+ years experience then the more complex rule base shouldn't cause a problem in the slightest.  However if you have more junior less seasoned people administering the FW then a simpler more straightforward policy base might be more appropriate.

 

If you're using IP definition in at least one direction, application based policy that's using application-default, threat features enabled, and SSL decryption there might not be as great of a risk combing 'like' requirements into one rule versus breaking out that one rule into 20+.

 

I think there are many factors that can lead an admin towards one direction or another; complex or simple rule base, if the admin of the box can't discern scope and intent of a firewall rule then that network is going to inherently be less secure and more vulnerable.

L7 Applicator

Re: # of rules vs simplicity

Hello,

Also depends on any requirements such as compliance you might be under. For instance we are under a 'Least Privelegde, deny all allow by exception requirement. So in the example you gave, we would require two policies since combining them would be similar to permissions creep where you allow more than should be allowed.

 

Hope that makes sense.

L4 Transporter

Re: # of rules vs simplicity

complexity is the enemy of security?  This is great discussion....it gets harder to manage the larger the ruleset gets I think.  Keeping things simple in a complex world is a challenge

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!