Internals of PAN FPGA/ASIC programming (regarding security rules)
Showing results for 
Search instead for 
Did you mean: 

Internals of PAN FPGA/ASIC programming (regarding security rules)

L6 Presenter

Assume one use a design guideline such as:

ALLOW GLOBAL (dstzone=any)

DENY (dstzone=x) specific log on session end
ALLOW (dstzone=x) specific
DENY (dstzone=x) any log on session start


DENY GLOBAL (dstzone=any) any log on session start

Will there be any difference if one use a single dstzone=any rule (lets say to allow ping into each zone) comparing to use one rule per dstzone to allow ping?

I mean will the compiler/optimizer who programs the FPGA/ASIC in your PA device end up with the same code to load anyway?

Of course this is a non issue if you just have a single rule but lets assume you have 100 zones and need to use 100 "global" rules. For the administrator this would mean setting up 100 rules (going global style) vs 10000 rules (100 rules per dstzone).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!