Policy rules organization

Reply
Highlighted
L1 Bithead

Policy rules organization

hello Everyone hope everything is doing well.

 

questions for the experts on palo

i have 260 rules on my palo alto environment and they are subdivided in zones and i would like to make things more organized on my rules  .

question is the rules more high used on the palo should be always first ? like more verbose rules or it doesn't matter where they are they will be no performance issue ?

 

thank you

Matheus

 

Highlighted
Cyber Elite

Re: Policy rules organization

Hello,

Tricky question. If you are running code 9 or 9.1 then there is a counter for each policy so you can see which ones get hit more often. A few things to remember is that the PAN evaluates policies top to bottom left to right. So the order of the policies matter. What I do is put the stuff I know is a block, e.g. dynamic block lists, at the top so they dont sneak through. Then order the policies of highest use closer to the top without over riding a more specific policy. 

 

Basically take your time and think it out. Do one or a few at a time so as not to cause confusion.

 

Hope that helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!