Are Application Filters in Groups an AND or an OR?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Are Application Filters in Groups an AND or an OR?

L2 Linker

Hi all,

 

If there are multiple application filters in an application group, do they work with AND or OR logic?

 

For instance, someone configured an application group which contains five filters.  All of the filters have "Subcategory = file-sharing."  Then one filter has "Characteristic = Transfers Files," the second has "Tunnels other apps," the third "Used by malware"... etc.

 

Basically the group looks like this:

 

FileShar1_Filter  file-sharing  Transfers Files
FileShar2_Filter  file-sharing  Tunnels other apps
FileShar3_Filter  file-sharing  Used by malware
FileShar4_Filter  file-sharing  Evasive
FileShar5_Filter  file-sharing 2Prone to Misuse
  3
  4
  5

 

The group is then used in a "Deny" rule.  The filters aren't used anywhere else.

 

Does this make sense?  Do we need five filters, or can they be combined into one? 

 

I know that when I'm using applipedia.paloaltonetworks.com, it's OR. 

 

Any help is appreciated!

 

Thanks,

- Steve

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@stevenkadish,

The group was built out the way it was because you couldn't combine all of those filters into one and get the same application count. For Example:

FileShar1_Filter: 283 applications

FileShar2_filter: 17 applications

FileShar3: 75 applications

FileShar4: 173 applications

FileShar5: 3 Applications

So when you put all of those filters into a group the group would be if it matches FileShar1_Filter OR FileShar2_Filter and so on. If you attempted to put all of the filters together, the filters become and AND statement. So instead of having the application group match 551 applications in total, the combine filters would only match 5 applications (because only 5 match all of the filter criteria). 

 

TL/DR

So short answer is that @Harshit is correct and multiple filters within an application group follows an OR statement. To answer your other question you wouldn't want to combine all five filters because they would no longer match the majority of the applications you are currently blocking. Building a filter you are simply setting what characteristics you want to match on. 

View solution in original post

3 REPLIES 3

L3 Networker

Hi,

 

I believe The Apps in the group would be "OR" (ed) , similary you can put "ssl" and "web browsing" in a rule and that matches both type of traffic.

 

Regards,

 

~Harry

Cyber Elite
Cyber Elite

@stevenkadish,

The group was built out the way it was because you couldn't combine all of those filters into one and get the same application count. For Example:

FileShar1_Filter: 283 applications

FileShar2_filter: 17 applications

FileShar3: 75 applications

FileShar4: 173 applications

FileShar5: 3 Applications

So when you put all of those filters into a group the group would be if it matches FileShar1_Filter OR FileShar2_Filter and so on. If you attempted to put all of the filters together, the filters become and AND statement. So instead of having the application group match 551 applications in total, the combine filters would only match 5 applications (because only 5 match all of the filter criteria). 

 

TL/DR

So short answer is that @Harshit is correct and multiple filters within an application group follows an OR statement. To answer your other question you wouldn't want to combine all five filters because they would no longer match the majority of the applications you are currently blocking. Building a filter you are simply setting what characteristics you want to match on. 

Hi Bpry,

 

Thanks very much!  So to summarize, criteria within a filter are AND and filters within a group are OR.  That's very helpful.

 

Best,

- Steve

 

  • 1 accepted solution
  • 5043 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!