09-08-2019 04:48 PM
Hi All,
I have an outbound web-browsing rule, rule criteria is source zone (trust) destination zone (untrust) , application (web-browsing, ssl), service (tcp-80, tcp-443)
If you are going to create more application specific rules, does it makes more sense to put those rules AFTER the outbound web-browsing rule. For instance, say you're going to create a 4 additional rules, 1 for dropbox, 1 for facebook/twitter, 1 for youtube, and another for ms-update. Would it be a best/common practice to put these 4 rules after the outbound web-browsing rule?
To me it makes sense, since a lot of these applications have dependancy on web-browsing/ssl, but wanted to ask anyway.
09-08-2019 08:15 PM
It doesn't matter. When the application shifts away from web-browsing to, say dropbox-base, the entire rulebase gets re-analysed and the location of the policy allowing dropbox-base won't matter as long as it is above any deny policy that would match the traffic.
09-08-2019 08:15 PM
It doesn't matter. When the application shifts away from web-browsing to, say dropbox-base, the entire rulebase gets re-analysed and the location of the policy allowing dropbox-base won't matter as long as it is above any deny policy that would match the traffic.
09-09-2019 07:39 AM
Personaly, I would put the more granular rules before less granualr rules. Just my thinking though.
09-09-2019 08:52 AM - edited 09-09-2019 08:54 AM
Thanks for the reply. Yes agreed, it does not matter, but I was more curious as to what the best practice is from a processing standpoint
Very good point on all the rules getting re-evaluated. Is it safe to say, the most hit rules are better to be towards the top of the rulebase then, or due to firewall performance specs, it doesn't really matter?
09-09-2019 09:00 AM
Due to firewall processing specs it really doesn't matter if the rules are located towards the top or towards the bottom. The amount of time that it takes for a firewall with thousands of security policies to match the very first entry in the security rulebase versus the very last is not measurable without the use of full debug logging, and even then it's a negligable amount. Essentially PAN has accounted for any latency due to actually processing the policies by enforcing platform policy limits.
07-31-2021 12:50 AM
Hi BPry,
Apologies for jumping into this thread.
Please could help me in understanding whether do we need any rule for web-browsing or https in order to allow the above applications.
What I understand is that they should work without the http and https rule.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
