Enable Wildcard Top Down Match Mode to evaluate packets
that match Security policy rules having overlapping wildcard masks.
Security policy rules have supported the use
of source and destination addresses using a wildcard address (IP
address and wildcard mask separated by a slash, such as 10.1.2.3/0.127.248.0).
The wildcard address can identify many source or destination addresses
in a single Security policy rule. In earlier releases, if an address matched
rules that had overlapping wildcard masks, the firewall always matched
the rule having the longest prefix in the wildcard mask and no other
rules were examined. This is still the default behavior.
However,
there are use cases where you want to have broad rules that allow
some sources access to generic applications (such as Ping, Traceroute,
and web-browsing), but have narrower rules that allow a subset of
these sources access to different applications (such as SSH, SCP)
in addition to the generic applications. In earlier releases, such
a deployment did not work because only the match to the rule with
the longest prefix in the wildcard mask was processed and other
rules were not considered. The workaround was to copy applications
from the broader rules to the narrower rules, which created operational
complexities.
Beginning with PAN-OS 10.2.1, you can enable Wildcard
Top Down Match Mode so that if a packet with an IP address
matches prefixes in Security policy rules that have overlapping
wildcard masks, the firewall chooses the first fully matching rule
in top-down order (instead of choosing the matching rule with the
longest prefix in a wildcard mask). Wildcard Top Down
Match Mode means more than one rule has the potential
to be enforced on different packets (not just the rule with the longest
matching prefix). Place your more specific rules toward the top
of the list. For example, you can allow a smaller range of matching
addresses (a longer wildcard mask) to access certain applications,
and also, in a subsequent rule allow a larger range of IP addresses
(a shorter wildcard mask) to access a different (more generic) set
of applications.