04-26-2018 01:37 PM - edited 04-26-2018 01:38 PM
Hi all,
If there are multiple application filters in an application group, do they work with AND or OR logic?
For instance, someone configured an application group which contains five filters. All of the filters have "Subcategory = file-sharing." Then one filter has "Characteristic = Transfers Files," the second has "Tunnels other apps," the third "Used by malware"... etc.
Basically the group looks like this:
| FileShar1_Filter | file-sharing | Transfers Files | ||||
| FileShar2_Filter | file-sharing | Tunnels other apps | ||||
| FileShar3_Filter | file-sharing | Used by malware | ||||
| FileShar4_Filter | file-sharing | Evasive | ||||
| FileShar5_Filter | file-sharing | 2 | Prone to Misuse | |||
| 3 | ||||||
| 4 | ||||||
| 5 |
The group is then used in a "Deny" rule. The filters aren't used anywhere else.
Does this make sense? Do we need five filters, or can they be combined into one?
I know that when I'm using applipedia.paloaltonetworks.com, it's OR.
Any help is appreciated!
Thanks,
- Steve
04-27-2018 06:51 AM
The group was built out the way it was because you couldn't combine all of those filters into one and get the same application count. For Example:
FileShar1_Filter: 283 applications
FileShar2_filter: 17 applications
FileShar3: 75 applications
FileShar4: 173 applications
FileShar5: 3 Applications
So when you put all of those filters into a group the group would be if it matches FileShar1_Filter OR FileShar2_Filter and so on. If you attempted to put all of the filters together, the filters become and AND statement. So instead of having the application group match 551 applications in total, the combine filters would only match 5 applications (because only 5 match all of the filter criteria).
TL/DR
So short answer is that @Harshit is correct and multiple filters within an application group follows an OR statement. To answer your other question you wouldn't want to combine all five filters because they would no longer match the majority of the applications you are currently blocking. Building a filter you are simply setting what characteristics you want to match on.
04-26-2018 02:48 PM
Hi,
I believe The Apps in the group would be "OR" (ed) , similary you can put "ssl" and "web browsing" in a rule and that matches both type of traffic.
Regards,
~Harry
04-27-2018 06:51 AM
The group was built out the way it was because you couldn't combine all of those filters into one and get the same application count. For Example:
FileShar1_Filter: 283 applications
FileShar2_filter: 17 applications
FileShar3: 75 applications
FileShar4: 173 applications
FileShar5: 3 Applications
So when you put all of those filters into a group the group would be if it matches FileShar1_Filter OR FileShar2_Filter and so on. If you attempted to put all of the filters together, the filters become and AND statement. So instead of having the application group match 551 applications in total, the combine filters would only match 5 applications (because only 5 match all of the filter criteria).
TL/DR
So short answer is that @Harshit is correct and multiple filters within an application group follows an OR statement. To answer your other question you wouldn't want to combine all five filters because they would no longer match the majority of the applications you are currently blocking. Building a filter you are simply setting what characteristics you want to match on.
04-27-2018 07:03 AM
Hi Bpry,
Thanks very much! So to summarize, criteria within a filter are AND and filters within a group are OR. That's very helpful.
Best,
- Steve
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
