security rule placement

Reply
Highlighted
L3 Networker

security rule placement

Hi All,

 

I have an outbound web-browsing rule, rule criteria is source zone (trust) destination zone (untrust) , application (web-browsing, ssl), service (tcp-80, tcp-443)

 

If you are going to create more application specific rules, does it makes more sense to put those rules AFTER the outbound web-browsing rule.  For instance, say you're going to create a 4 additional rules, 1 for dropbox, 1 for facebook/twitter, 1 for youtube, and another for ms-update.   Would it be a best/common practice to put these 4 rules after the outbound web-browsing rule?

 

To me it makes sense, since a lot of these applications have dependancy on web-browsing/ssl, but wanted to ask anyway.

 

 

L7 Applicator

Re: security rule placement

@ce1028,

It doesn't matter. When the application shifts away from web-browsing to, say dropbox-base, the entire rulebase gets re-analysed and the location of the policy allowing dropbox-base won't matter as long as it is above any deny policy that would match the traffic. 

L4 Transporter

Re: security rule placement

Personaly, I would put the more granular rules before less granualr rules. Just my thinking though. 

L3 Networker

Re: security rule placement

@BPry

 

Thanks for the reply.  Yes agreed, it does not matter, but I was more curious as to what the best practice is from a processing standpoint

 

Very good point on all the rules getting re-evaluated.  Is it safe to say, the most hit rules are better to be towards the top of the rulebase then, or due to firewall performance specs, it doesn't really matter?

 

 

L7 Applicator

Re: security rule placement

@ce1028,

Due to firewall processing specs it really doesn't matter if the rules are located towards the top or towards the bottom. The amount of time that it takes for a firewall with thousands of security policies to match the very first entry in the security rulebase versus the very last is not measurable without the use of full debug logging, and even then it's a negligable amount. Essentially PAN has accounted for any latency due to actually processing the policies by enforcing platform policy limits.

L3 Networker

Re: security rule placement

thanks @BPry 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!