Are Application Filters in Groups an AND or an OR?

Reply
Highlighted
L2 Linker

Are Application Filters in Groups an AND or an OR?

Hi all,

 

If there are multiple application filters in an application group, do they work with AND or OR logic?

 

For instance, someone configured an application group which contains five filters.  All of the filters have "Subcategory = file-sharing."  Then one filter has "Characteristic = Transfers Files," the second has "Tunnels other apps," the third "Used by malware"... etc.

 

Basically the group looks like this:

 

FileShar1_Filter  file-sharing  Transfers Files
FileShar2_Filter  file-sharing  Tunnels other apps
FileShar3_Filter  file-sharing  Used by malware
FileShar4_Filter  file-sharing  Evasive
FileShar5_Filter  file-sharing 2Prone to Misuse
  3
  4
  5

 

The group is then used in a "Deny" rule.  The filters aren't used anywhere else.

 

Does this make sense?  Do we need five filters, or can they be combined into one? 

 

I know that when I'm using applipedia.paloaltonetworks.com, it's OR. 

 

Any help is appreciated!

 

Thanks,

- Steve

 

Tags (3)

Accepted Solutions
Highlighted
Cyber Elite

Re: Are Application Filters in Groups an AND or an OR?

@stevenkadish,

The group was built out the way it was because you couldn't combine all of those filters into one and get the same application count. For Example:

FileShar1_Filter: 283 applications

FileShar2_filter: 17 applications

FileShar3: 75 applications

FileShar4: 173 applications

FileShar5: 3 Applications

So when you put all of those filters into a group the group would be if it matches FileShar1_Filter OR FileShar2_Filter and so on. If you attempted to put all of the filters together, the filters become and AND statement. So instead of having the application group match 551 applications in total, the combine filters would only match 5 applications (because only 5 match all of the filter criteria). 

 

TL/DR

So short answer is that @Harshit is correct and multiple filters within an application group follows an OR statement. To answer your other question you wouldn't want to combine all five filters because they would no longer match the majority of the applications you are currently blocking. Building a filter you are simply setting what characteristics you want to match on. 

View solution in original post


All Replies
Highlighted
L3 Networker

Re: Are Application Filters in Groups an AND or an OR?

Hi,

 

I believe The Apps in the group would be "OR" (ed) , similary you can put "ssl" and "web browsing" in a rule and that matches both type of traffic.

 

Regards,

 

~Harry

Highlighted
Cyber Elite

Re: Are Application Filters in Groups an AND or an OR?

@stevenkadish,

The group was built out the way it was because you couldn't combine all of those filters into one and get the same application count. For Example:

FileShar1_Filter: 283 applications

FileShar2_filter: 17 applications

FileShar3: 75 applications

FileShar4: 173 applications

FileShar5: 3 Applications

So when you put all of those filters into a group the group would be if it matches FileShar1_Filter OR FileShar2_Filter and so on. If you attempted to put all of the filters together, the filters become and AND statement. So instead of having the application group match 551 applications in total, the combine filters would only match 5 applications (because only 5 match all of the filter criteria). 

 

TL/DR

So short answer is that @Harshit is correct and multiple filters within an application group follows an OR statement. To answer your other question you wouldn't want to combine all five filters because they would no longer match the majority of the applications you are currently blocking. Building a filter you are simply setting what characteristics you want to match on. 

View solution in original post

Highlighted
L2 Linker

Re: Are Application Filters in Groups an AND or an OR?

Hi Bpry,

 

Thanks very much!  So to summarize, criteria within a filter are AND and filters within a group are OR.  That's very helpful.

 

Best,

- Steve

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!