# of rules vs simplicity

Showing results for 
Show  only  | Search instead for 
Did you mean: 

# of rules vs simplicity

L0 Member

Hi all,


I'm currently reviewing our PA5250 security policy ruleset and I'm doubting the best way to handle it. We have about 800 rules and lots of those rules combine functions. For example a server is allowed to FTP to ip a.b.c.d and should be allowed to ssl to ip w.x.y.z. At the moment this is combined in one rule which means that servers is also allowed to FTP to w.x.y.z and to SSL to the first IP. 

If I were to split up all those kind of rules I would at least double the number of rules. I know the limit of # of rules for the 5250 is 40000 so we are no where near that. 

My questions:

- from a management perspective is it better to have lots of small rules or lots of "combined" rules

- from a resource/throughput perspective: is it better to have for example 10000 simple rules (1 source - 1 destination) or 2000 complex rules (multiple source and destionations)


Thanks in advance for your opinion on this topic 


Cyber Elite
Cyber Elite
For the chassis' performance neither situations have a huge impact, from a management perspective more rules is more complexity, but this helps the third view: security, how secure are combined rules? it also depends on your stance, open and rely on security profiles to stop threats or restrictive and preventing threats before they happen to help the logistical nightmare of managing hundreds or thousands of rules, there's a few things that can help like tagging your zones which helps filtering your view of the policy to the task at hand. Rule Usage and the PAN-OS 9.0 'policy optimizer' tool can help determine which rules are being used or can be improved
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L7 Applicator

from a management prospective, 1 policy, allow all.

from a security prospective I would not hesitate to split your example into 2 seperate policies regardles of the sums...

It maybe that your servers listed are not listening on the other ports but for me it's "peace of mind" and confidence in saying "No.. Thats not possible". 


The filter option works for me to only see the policies needed.


there are of course many reasons to combine policies but not for ease of management over security.



This is a great question, and @reaper  and @Mick_Ball  both had great feedback.  Another thing to consider is support ability and technical capability of the staff administering the box.  If the techs looking into potential firewall problems are senior staff with 9+ years experience then the more complex rule base shouldn't cause a problem in the slightest.  However if you have more junior less seasoned people administering the FW then a simpler more straightforward policy base might be more appropriate.


If you're using IP definition in at least one direction, application based policy that's using application-default, threat features enabled, and SSL decryption there might not be as great of a risk combing 'like' requirements into one rule versus breaking out that one rule into 20+.


I think there are many factors that can lead an admin towards one direction or another; complex or simple rule base, if the admin of the box can't discern scope and intent of a firewall rule then that network is going to inherently be less secure and more vulnerable.


Also depends on any requirements such as compliance you might be under. For instance we are under a 'Least Privelegde, deny all allow by exception requirement. So in the example you gave, we would require two policies since combining them would be similar to permissions creep where you allow more than should be allowed.


Hope that makes sense.

complexity is the enemy of security?  This is great discussion....it gets harder to manage the larger the ruleset gets I think.  Keeping things simple in a complex world is a challenge

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!