security rule placement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

security rule placement

L4 Transporter

Hi All,

 

I have an outbound web-browsing rule, rule criteria is source zone (trust) destination zone (untrust) , application (web-browsing, ssl), service (tcp-80, tcp-443)

 

If you are going to create more application specific rules, does it makes more sense to put those rules AFTER the outbound web-browsing rule.  For instance, say you're going to create a 4 additional rules, 1 for dropbox, 1 for facebook/twitter, 1 for youtube, and another for ms-update.   Would it be a best/common practice to put these 4 rules after the outbound web-browsing rule?

 

To me it makes sense, since a lot of these applications have dependancy on web-browsing/ssl, but wanted to ask anyway.

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@ce1028,

It doesn't matter. When the application shifts away from web-browsing to, say dropbox-base, the entire rulebase gets re-analysed and the location of the policy allowing dropbox-base won't matter as long as it is above any deny policy that would match the traffic. 

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@ce1028,

It doesn't matter. When the application shifts away from web-browsing to, say dropbox-base, the entire rulebase gets re-analysed and the location of the policy allowing dropbox-base won't matter as long as it is above any deny policy that would match the traffic. 

Personaly, I would put the more granular rules before less granualr rules. Just my thinking though. 

@BPry

 

Thanks for the reply.  Yes agreed, it does not matter, but I was more curious as to what the best practice is from a processing standpoint

 

Very good point on all the rules getting re-evaluated.  Is it safe to say, the most hit rules are better to be towards the top of the rulebase then, or due to firewall performance specs, it doesn't really matter?

 

 

@ce1028,

Due to firewall processing specs it really doesn't matter if the rules are located towards the top or towards the bottom. The amount of time that it takes for a firewall with thousands of security policies to match the very first entry in the security rulebase versus the very last is not measurable without the use of full debug logging, and even then it's a negligable amount. Essentially PAN has accounted for any latency due to actually processing the policies by enforcing platform policy limits.

thanks @BPry 

Hi BPry,

Apologies for jumping into this thread.

Please could help me in understanding whether do we need any rule for web-browsing or https in order to allow the above applications.

What I understand is that they should work without the http and https rule.

  • 1 accepted solution
  • 6630 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!