: Data Center Security Policy Rulebase Order
Focus
Focus

Data Center Security Policy Rulebase Order

Table of Contents

Data Center Security Policy Rulebase Order

Prevent rule shadowing and order the rulebase to ensure that only legitimate applications are allowed.
Order the rules properly in the Security policy rulebase to ensure that you allow only the applications and traffic you intend to allow and so that no rule shadows another rule.
Order the Data Center Security policy rulebase shows the full rulebase from the previous examples (allow and block rules) in the correct order and explains each rule’s placement. The Security policy rulebase is an ordered list of your Security policy rules.
The order of the rules in the rulebase determines how the firewall handles traffic. When traffic matches a rule in the rulebase, the firewall executes the rule's Action on that traffic and does not compare the traffic to any other Security policy rules. This is why the order of the rules in the Security policy rulebase is critical. If the rules are in the wrong order, traffic might match a rule that you did not intend it to match (this is called shadowing).
The Security policy best practices book includes Security policy rulebase best practices, which describes best practices to follow as you build out your Security policy rulebase. Security policy rulebase best practices include:
  • Keeping the rulebase as small as you can for easier management. In some cases, you can combine rules. A good guideline is that you can combine rules if five of the following six objects are the same in those rules: source zone, destination zone, source IP address, destination IP address, service port, and application.
  • Use Policy Optimizer to simplify the rulebase.
  • Use group objects such as application groups and address groups to simplify the rulebase.
  • In general, place more specific rules before more general rules to prevent shadowing.