Manage the Rule Hierarchy

The order of policy rules is critical for the security of your network. Within any policy layer (shared, device group, or locally defined rules) and rulebase (for example, shared Security pre-rules), the firewall evaluates rules from top to bottom in the order they appear in the pages of the
Policies
tab. The firewall matches a packet against the first rule that meets the defined criteria and ignores subsequent rules. Therefore, to enforce the most specific match, move the more specific rules above more generic rules.
To understand the order in which the firewall evaluates rules by layer and by type (pre-rules, post-rules, and default rules) across the Device Group Hierarchy, see Device Group Policies.
  1. View the rule hierarchy for each rulebase.
    1. Select the
      Policies
      tab and click
      Preview Rules
      .
    2. Filter the preview by
      Rulebase
      (for example,
      Security
      or
      QoS
      ).
    3. Filter the preview to display the rules of a specific
      Device Group
      and the rules it inherits from the Shared location and ancestor device groups. You must select a device group that has firewalls assigned to it.
    4. Filter the preview by
      Device
      to display its locally defined rules.
    5. Click the green arrow icon to apply your filter selections to the preview (see Device Group Policies).
    6. Close the Combined Rules Preview dialog when you finish previewing rules.
  2. Delete or disable rules, if necessary.
    To determine which rules a firewall doesn’t currently use, select that firewall in the
    Context
    drop-down on Panorama, select the rulebase (for example,
    Policies
    Security
    ), and select the
    Highlight Unused Rules
    check box. A dotted orange background indicates the rules that the firewall doesn’t use.
    1. Select the rulebase (for example,
      Policies
      Security
      Pre Rules
      ) that contains the rule you will delete or disable.
    2. Select the
      Device Group
      that contains the rule.
    3. Select the rule, and click
      Delete
      or
      Disable
      as desired. Disabled rules appear in italicized font.
  3. Reposition rules within a rulebase, if necessary.
    To reposition local rules on a firewall, access its web interface by selecting that firewall in the
    Context
    drop-down before performing this step.
    1. Select the rulebase (for example,
      Policies
      Security
      Pre Rules
      ) that contains the rule you will move.
    2. Select the
      Device Group
      that contains the rule.
    3. Select the rule, select
      Move
      , and select:
      • Move Top
        —Moves the rule above all other rules in the device group (but not above rules inherited from Shared or ancestor device groups).
      • Move Up
        —Moves the rule above the one that precedes it (but not above rules inherited from Shared or ancestor device groups).
      • Move Down
        —Moves the rule below the one that follows it.
      • Move Bottom
        —Moves the rule below all other rules.
  4. If you modified the rules, commit and push the changes.
    1. Select
      Commit
      Commit and Push
      and
      Edit Selections
      in the Push Scope
    2. Select
      Device Groups
      , select the device group that contains the rules you changed or deleted, and click
      OK
      .
    3. Commit and Push
      your changes to the Panorama configuration and to device groups.

Related Documentation