Regularly tracking and auditing the rulebase is a best practice for network
security. It involves reviewing and updating rules based on changing organizational
needs, compliance requirements, or emerging threat landscapes. Rules that are too
broad introduce security gaps because they allow applications that aren’t in use in
your network.
Your rulebase shows all configured rules in order of enforcement.
This includes essential information such as rule names, rule types, applied security
profiles, action settings, source and destination zones, and more. You can review
and analyze this information to ensure that the rules align with the organization's
security objectives and operational requirements.
Intuitive search and filtering capabilities are also available, enabling
you to easily locate specific rules within the rulebase, manage security rules and
troubleshoot efficiently.
Each rule within a rulebase is automatically numbered; when you move or reorder
rules, the numbers change based on the new order. When you filter the list of rules
to find rules that match specific criteria, each rule, its number in the context of
the complete set of rules in the rulebase, and its place in the evaluation order is
shown.
Rule numbering reflects the hierarchy and evaluation order of shared rules, device
group pre-rules, device group post-rules, and default rules. You can view an ordered
list of the total number of rules in your configuration.
Track Rules Within a Rulebase (Strata Cloud Manager)
Keep track of rules within a rulebase; manage pre-rules and post-rules and view the
complete list of rules with numbers.
To view your Security policy rulebase, go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy. Read on to learn more about how your rulebase is organized.
Pre-Rules and Post-Rules
For security rules that are in the shared configuration folder (they apply
globally across your entire configuration), you can decide if the rule should be
enforced ahead of or after rules in the other configuration folders. These are
called pre-rules and post-rules.
With Strata Cloud Manager, you can apply configuration settings and
enforce policy globally across your entire environment, or target
settings and policy to certain parts of your organization. When working
in your Strata Cloud Manager configuration management, the current Configuration Scope is always
visible to you, and you can toggle your view to manage a broader or more
granular configuration.
Pre-rules are global rules that take precedence
over deployment-specific rules and are applied to traffic first.
Post-rules are global rules that are applied to
traffic only after shared pre-rules and deployment-specific rules are
applied.
When you’re setting up a shared security rule, specify for it to be a
pre-rule or a post-rule.
When you’re looking at your Security policy rulebase, you can easily identify
pre- and post-rules and distinguish them from deployment-specific rules.
When you’re working in a configuration folder that’s not shared, you
can still easily identify the rules that are shared across your entire
configuration — shared rules are highlighted so you can distinguish them from
the rules that are specific to another configuration folder.
Rule Numbers
After you push your configuration to your devices, view the complete list
of rules with numbers.
Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy.