Rule actions and rule order

A rule's action determines how the system handles matching traffic. Improve performance by placing rules that do not perform or ensure further traffic handling before the resource-intensive rules that do. Then, the system can divert traffic that it might otherwise have inspected.

The following examples show how you might order rules in various policies, given a set of rules where none is more critical and preemption is not an issue.

If your rules include application conditions, also see Choosing between application matching and port matching.

Optimum order for access control rules

Intrusion, file, and malware inspection requires resources, especially if you use multiple custom intrusion policies and variable sets. Place access control rules that invoke deep inspection last.

Monitor—Rules that log matching connections, but take no other action on traffic. (However, see the important exception and caveat at Access Control Rule Monitor Action.)
Trust, Block, Block with reset—Rules that handle traffic without further inspection.
Allow, Interactive Block (no deep inspection)—Rules that do not inspect traffic further, but allow discovery.
Allow, Interactive Block (deep inspection)—Rules associated with file or intrusion policies that perform deep inspection for prohibited files, malware, and exploits.

Optimum order for Decryption rules

Not only does decryption require resources, but so does further analysis of the decrypted traffic. Place rules that decrypt traffic last.

Monitor—Rules that log matching connections, but take no other action on traffic.
Block, Block with reset—Rules that block traffic without further inspection.
Do not decrypt—Rules that do not decrypt encrypted traffic, passing the encrypted session to access control rules. The payloads of these sessions are not subject to deep inspection.
Decrypt - Known Key—Rules that decrypt incoming traffic with a known private key.
Decrypt - Resign—Rules that decrypt outgoing traffic by re-signing the server certificate.