Data Center Security Policy Rulebase Order
Prevent rule shadowing and order the rulebase to ensure that only legitimate applications
are allowed.
Order the rules properly in the Security
policy rulebase to ensure that you allow only the applications and
traffic you intend to allow and so that no rule shadows another
rule.
Order the Data Center Security policy rulebase
shows the full rulebase from the previous examples (allow and block rules) in the
correct order and explains each rule’s placement. The Security policy rulebase is an
ordered list of your Security policy rules.
The order of the rules in the rulebase determines how the firewall handles traffic. When
traffic matches a rule in the rulebase, the firewall executes the rule's Action on that
traffic and does not compare the traffic to any other Security policy rules. This is why
the order of the rules in the Security policy rulebase is critical. If the rules are in
the wrong order, traffic might match a rule that you did not intend it to match (this is
called shadowing).
-
Keeping the rulebase as small as you can for easier management. In some cases,
you can combine rules. A good guideline is that you can combine rules if five of
the following six objects are the same in those rules: source zone, destination
zone, source IP address, destination IP address, service port, and application.
-
-
Use group objects such as application groups and address groups to simplify the
rulebase.
-
In general, place more specific rules before more general rules to prevent
shadowing.