Order the Data Center Security Policy Rulebase

When traffic matches a Security policy rule, the firewall takes an action and the traffic hits no other rules. Incorrectly ordering the rulebase can allow traffic you want to deny or deny traffic you want to allow.
This section summarizes the data center Security policy rulebase for all four data center traffic flows to provide a snapshot of the complete rulebase and show the order of the rules. The preceding sections discuss each Security policy rule in detail (as well as the Decryption policy rules, and where required, the Authentication policy and DoS Protection policy rules).
The order of the rules is critical. No rule should shadow another rule. For example, block rules should not block traffic that you want to allow, so a whitelist rule must allow traffic that a block rule blocks before the block rule goes into effect. In addition, a whitelist rule should not allow traffic that you want to block. By creating very specific whitelist rules, you can tightly control the allowed applications and who can use them, and then block those applications from other users who are not sanctioned to use them.
The first five rules whitelist DNS access for users and whitelist specific application and server access for specific user groups. These are the rules we configured in Create User-to-Data-Center Application Whitelist Rules.
rulebase-1-5-user-dc-whitelist.png
Only the specified users can use only the specified applications on their default ports to access only the specified data center destination servers (addresses). Security profiles protect all of these allow rules against threats. These rules precede the block rules that discover unknown users and applications on the network because these rules are very specific and prevent sanctioned users and applications from matching more general rules lower in the rulebase.
The next two block rules, which we created in Create Data Center Traffic Block Rules, discover unexpected applications from users on standard ports and on non-standard ports.
The preceding whitelist rules allow access for known users, running only the applications they need to use for business purposes on standard (application-default) ports. Traffic from known users running the same applications on non-standard ports doesn’t match those whitelist rules and filters through to the following known-user rule, which logs the non-standard port usage and applies threat protection profiles to the traffic.
rulebase-6-7-block-unexpected-user-apps.png
Because these rules are based on traffic from the user zones, traffic from other zones doesn’t match these rules. Place these rules above the application blocking rules (rules 16 and 17) or they will shadow these rules. (Traffic that matches these two rules may also match the more general application blocking rules. If the application blocking rules come first and match traffic that also matches these rules, that traffic won’t hit these rules and won’t be logged separately, so the rules won’t do their intended job of differentiating blocking that is the result of employee user activity from blocking that is the result of activity from other zones.)
rulebase-8-14-other-flows-whitelist-v2.png
Security profiles protect all of these allow rules against threats.
The next four rules, which we configured in Create Data Center Traffic Block Rules, block applications that you know you don’t want in your data center and unexpected applications, and discover unknown users on your network.
rulebase-15-18-block-rules.png
Rule 15 blacklists applications you never want in your data center. This rule comes after the whitelist allow rules to allow exceptions. For example, you may sanction one or two file sharing applications in application whitelist rules that precede this blacklist rule, and then the application filter in this rule blocks the rest of that application type to prevent the use of unsanctioned file sharing applications. If there are sets of applications or individual applications that you never want on your network and for which there are no exceptions, for example, BitTorrent, you can create a specific blacklist rule to block just those applications and place it at the top of the rulebase, above the application whitelist rules. However, if you do this, you must be certain that none of the blacklisted applications have legitimate business uses because they will be blocked.
Rules 16 and 17 are analogous to rules 6 and 7, which discover unexpected applications from users (the traffic those rules apply to comes only from user zones). Rules 16 and 17 discover unexpected applications from all other zones. Having separate rules enables you to log blocking rule matches with greater granularity.
Rule 18 discovers unknown users so that you can log those attempted accesses separately for easier investigation.
As with all Security Policy rulebases, the final two rules are the standard Palo Alto Networks default rules for intrazone traffic (allow) and interzone traffic (deny).

Related Documentation