Best Practices for Ordering Rules
General guidelines:
-
In general, place top-priority rules that must apply to all traffic near the top of the policy.
-
Specific rules should come before general rules, especially when the specific rules are exceptions to general rules.
Otherwise, traffic will match the general rule first and never hit the applicable specific rule.
-
Rules that drop traffic based on layer-3/4 criteria only (such as IP address, security zone, and port number) should come as early as possible. Rules based on these criteria do not require inspection to identify matching connections.
-
Whenever possible, put specific drop rules near the top of the policy. This ensures the earliest possible decision on undesirable traffic.
-
URL filtering, application-based, and geolocation-based rules and others that require inspection should come after rules that drop traffic based on layer-3/4 criteria only (such as IP address, security zone, and port number), but before rules that specify file and intrusion policies.
-
Put URL filtering rules above application rules, and follow application rules with micro-application rules and Common Industrial Protocol (CIP) sub-classification application filtering rules.
-
Rules that specify file policies and intrusion policies should come at the bottom of the rule order. These rules require resource-intensive deep inspection, and you should eliminate as many threats as possible using less-intensive methods first, for performance reasons, in order to minimize the number of potential threats that require deep inspection.
-
Always order rules to suit your organization's needs.
Exceptions and additions to the above guidelines are noted in the sections below.