I have an outbound web-browsing rule, rule criteria is source zone (trust) destination zone (untrust) , application (web-browsing, ssl), service (tcp-80, tcp-443)
If you are going to create more application specific rules, does it makes more sense to put those rules AFTER the outbound web-browsing rule. For instance, say you're going to create a 4 additional rules, 1 for dropbox, 1 for facebook/twitter, 1 for youtube, and another for ms-update. Would it be a best/common practice to put these 4 rules after the outbound web-browsing rule?
To me it makes sense, since a lot of these applications have dependancy on web-browsing/ssl, but wanted to ask anyway.
Solved! Go to Solution.
It doesn't matter. When the application shifts away from web-browsing to, say dropbox-base, the entire rulebase gets re-analysed and the location of the policy allowing dropbox-base won't matter as long as it is above any deny policy that would match the traffic.
Thanks for the reply. Yes agreed, it does not matter, but I was more curious as to what the best practice is from a processing standpoint
Very good point on all the rules getting re-evaluated. Is it safe to say, the most hit rules are better to be towards the top of the rulebase then, or due to firewall performance specs, it doesn't really matter?
Due to firewall processing specs it really doesn't matter if the rules are located towards the top or towards the bottom. The amount of time that it takes for a firewall with thousands of security policies to match the very first entry in the security rulebase versus the very last is not measurable without the use of full debug logging, and even then it's a negligable amount. Essentially PAN has accounted for any latency due to actually processing the policies by enforcing platform policy limits.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!