1. Home
    2. Panorama
    3. Panorama™ Administrator’s Guide
    4. Manage Firewalls
    5. Manage the Rule Hierarchy
    End-of-Life (EoL)
    Previous
    Next
    The order of policy rules is critical for the security of your network. Within any policy layer (shared, device group, or locally defined rules) and rulebase (for example, shared Security pre-rules), the firewall evaluates rules from top to bottom in the order they appear in the pages of the Policies tab. The firewall matches a packet against the first rule that meets the defined criteria and ignores subsequent rules. Therefore, to enforce the most specific match, move the more specific rules above more generic rules.
    		 To understand the order in which the firewall evaluates rules by layer and by type (pre-rules, post-rules, and default rules) across the Device Group Hierarchy, see Device Group Policies.
    Manage the Rule Hierarchy
    View the rule hierarchy for each rulebase. Select the Policies tab and click Preview Rules. Filter the preview by Rulebase (for example, Security or QoS). Filter the preview to display the rules of a specific Device Group and the rules it inherits from the Shared location and ancestor device groups. You must select a device group that has firewalls assigned to it. Filter the preview by Device to display its locally defined rules. Click the green arrow icon to apply your filter selections to the preview (see Figure: Rule Hierarchy). Close the Combined Rules Preview dialog when you finish previewing rules.
    Delete or disable rules, if necessary. To determine which rules a firewall doesn’t currently use, select that firewall in the Context drop-down on Panorama, select the rulebase (for example, Policies > Security), and select the Highlight Unused Rules check box. A dotted orange background indicates the rules that the firewall doesn’t use. Select the rulebase (for example, Policies > Security > Pre Rules) that contains the rule you will delete or disable. Select the Device Group that contains the rule. Select the rule, and click Delete or Disable as desired. Disabled rules appear in italicized font.
    Reposition rules within a rulebase, if necessary. To reposition local rules on a firewall, access its web interface by selecting that firewall in the Context drop-down before performing this step. Select the rulebase (for example, Policies > Security > Pre Rules) that contains the rule you will move. Select the Device Group that contains the rule. Select the rule, select Move, and select: Move Top —Moves the rule above all other rules in the device group (but not above rules inherited from Shared or ancestor device groups). Move Up —Moves the rule above the one that precedes it (but not above rules inherited from Shared or ancestor device groups). Move Down —Moves the rule below the one that follows it. Move Bottom —Moves the rule below all other rules. Move to other device group —See Move or Clone a Policy Rule or Object to a Different Device Group.
    If you modified the rules, save the changes. Click Commit, for the Commit Type select Panorama, and click Commit again. Click Commit, for the Commit Type select Device Group, select the device group that contains the rules you changed or deleted, and click Commit again.
    Previous
    Next

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo