This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Policy order

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Policy order

jorge
Not applicable

‎05-17-2012 11:41 AM

Is it important to have the Antivus, Vulnerability and Anti-Spyware rule as the first policy?

thanks

0 Likes Likes
3 REPLIES 3

bspilde
L4 Transporter

‎05-17-2012 01:35 PM

It was explained to me that each rule should have them. At least for how I was applying policies. You just want to make sure that each packet allowed through has policies that apply to your traffic at risk. If you have a rule that traffic matches on the top and you don't have any threat policies there then none will be applied because the traffic has already been permitted without. If I am incorrect in this understanding or was not clear enough please post further clarification.

From: jorge <live@paloaltonetworks.com<mailto:live@paloaltonetworks.com>>

Reply-To: live <live@paloaltonetworks.com<mailto:live@paloaltonetworks.com>>

To: Brad Spilde <brad.spilde@daktronics.com<mailto:brad.spilde@daktronics.com>>

Subject: Policy order

Is it important to have the Antivus, Vulnerability and Anti-Spyware rule as the first policy?

thanks

0 Likes Likes

jorge
Not applicable
In response to bspilde

‎05-17-2012 01:37 PM

You're right. I've gone ahead and applied them to all the policies.

Thank You!

0 Likes Likes

mikand
L6 Presenter
In response to jorge

‎05-17-2012 02:03 PM

The security rules in PA devices is executed in top-down first-match order (similar to how acl's in cisco devices works).

Which gives that if you have a rule where you didnt enable antivirus etc and this rule is hit then the traffic hitting this rule wont be examined for viruses.

You can use the "test" command in cli to figure out which rule will be matched for which traffic.

A general recommendation is to use whitelisting instead of blacklisting (e.g. rules with which traffic you want to allow and then block as default) and when blacklisting is used make sure to make that as broad as possible while whitelisting should be as narrow as possible.

For example setting srczone:any is mostly a good thing for blacklists but often a bad thing for whitelists (security wise).

  • 2490 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks