Order the Data Center Security Policy Rulebase

When traffic matches a Security policy rule, the firewall takes an action and the traffic hits no other rules. Incorrectly ordering the rulebase can allow traffic you want to deny or deny traffic you want to allow.
This topic provides a snapshot of the example Security policy rulebase that shows the order of the rules for all four data center traffic flows. The preceding sections discuss each Security policy rule in detail (as well as the Decryption policy rules, and where required, the Authentication policy and DoS Protection policy rules).
The order of the Security policy rules is critical. No rule should shadow another rule. For example, block rules should not block traffic that you want to allow, so you must place allow rules
the rule that would block the traffic goes into effect. In addition, an allow rule should not allow traffic that you want to block. By creating very specific allow rules, you tightly control the allowed applications and who can and cannot use them.
Rules 1-7
: The first two rules block the QUIC application to prevent it from blocking traffic or preventing decryption. The next five rules allow DNS access for users and allow specific application and server access for specific user groups. These are the rules configured in Create User-to-Data-Center Application Allow Rules.
Data Center Rules 1-7
Only the specified users can use only the specified applications on their default ports to access only the specified data center destination servers (addresses). Security profiles protect all of these allow rules against threats. These rules precede block rules that discover unknown users and applications on the network because these rules are very specific and they prevent sanctioned users and applications from matching more general rules lower in the rulebase.
Rules 8-9
: While the preceding rules allow sanctioned applications, the next two rules, created in Create Data Center Traffic Block Rules, discover and block unexpected applications from users on standard ports and block all applications on non-standard ports. (Your deployment may have more user zones than shown in the example.)
Data Center Rules 8-9
Traffic from non-user zones doesn’t match these rules. Place these rules above the application blocking rules (rules 18 and 19) or those rules will shadow these rules. (Traffic that matches these two rules may also match the more general application blocking rules. If the application blocking rules come first and match traffic that also matches these rules, that traffic won’t match these rules and won’t be logged separately, so the rules won’t do their intended job of differentiating blocking that is the result of employee user activity from blocking that is the result of activity from non-user zones.)
Rules 10-16
: The next seven rules allow traffic between the data center and the internet and within the data center (created in Create Internet-to-Data-Center Application Allow Rules, Create Data-Center-to-Internet Application Allow Rules, and Create Intra-Data-Center Application Allow Rules.) Security profiles protect all of these allow rules against threats.
Data Center Rules 10-16
Rules 17-20
: The last four rules, configured in Create Data Center Traffic Block Rules, block applications that you know you don’t want in your data center and unexpected applications, and discover unknown users on your network.
Rule 17 blocks applications you never want in your data center. This rule comes after the application allow rules to enable access for exceptions. For example, you may sanction one or two file sharing applications in application allow rules that precede this block rule, and then the application filter in this rule blocks the rest of that application type to prevent the use of unsanctioned file sharing applications. If there are sets of applications or individual applications that you never want on your network and for which there are no exceptions, for example, BitTorrent, you can create a specific block rule to block just those applications and place it at the top of the rulebase, above the application allow rules. However, if you do this, you must be certain that none of the blocked applications have legitimate business uses because users will not be able to access them.
Rules 18 and 19 are analogous to rules 8 and 9, which discover unexpected applications from users (the traffic those rules apply to comes only from user zones). Rules 18 and 19 discover unexpected applications from all other zones. Having separate rules enables you to log blocking rule matches with greater granularity.
Rule 20 discovers unknown users so that you can log those attempted accesses separately for easier investigation.
As with all Security Policy rulebases, the final two rules will be the Palo Alto Networks default rules for intrazone traffic (allow) and interzone traffic (deny).

Recommended For You