Best Practices for Access Control Rules
-
Make sure you have these rules:
-
Stealth rule
that prevents direct access to the Security Gateway
-
Cleanup rule that drops all traffic that is not allowed by the earlier rules in the policy.
-
-
Use Layers to add structure and hierarchy of rules in the Rule Base
.
-
Add all rules that are based only on source and destination IP addresses and ports, in a Firewall/Network Ordered Layer at the top of the Rule Base.
-
Create Firewall/Network rules to explicitly accept safe traffic, and add an explicit cleanup rule at the bottom of the Ordered Layer to drop everything else.
-
Create an Application Control
Ordered Layer after the Firewall/Network Ordered Layer. Add rules to explicitly drop unwanted or unsafe traffic. Add an explicit cleanup rule at the bottom of the Ordered Layer to accept everything else.
Alternatively, put Application Control rules in an as part of the Firewall/Network rules. In the parent rule of the , define the Source and Destination.
-
Share Ordered Layers and when possible.
-
For Security Gateways R80.10 and higher: If you have one Ordered Layer for Firewall/Network rules, and another Ordered Layer for Application Control - Add all rules that examine applications, Data Type
, or Mobile Access
elements, to the Application Control Ordered Layer, or to an Ordered Layer after it.
-
Turn off the XFF inspection, unless the Security Gateway is behind a proxy server. For more, see sk92839.
-
Disable a rule when working on it. Enable the rule when you want to use it. Disabled rules do not affect the performance of the Security Gateway. To disable a rule, right-click in the No column of the rule and select Disable.
Best Practices for Efficient rule Matching
-
Place rules that check the source, destination, and port (network rules) higher in the Rule Base.
Reason: Network rules are matched sooner, and turn on fewer inspection engines.
-
Place rules that check applications and content (Data Types) below network rules.
-
Do not define a rule with Any in the Source and in the Destination, and with an Application or a Data Type. For example these rules are not recommended:
Instead, define one of these recommended rules:
Reason for 2 and 3: Application Control and Content Awareness
rules require content inspection. Therefore, they:
-
Allow the connection until the Security Gateway has inspected connection header and body.
-
May affect performance.
-
-
For rules with Data Types: Place rules that check File Types higher in the Rule Base than rules that check for Content Types. See Content Column.
Reason: File Types are matched sooner than Content Types.
-
Do not use Application Control and URL Filtering
in the same rule, this may lead to wrong rule matching. Use Application Control and URL Filtering in separate rules. This makes sure that the URL Filtering rule is used as soon as the category is identified. For more information, see sk174045.
To see examples of some of these best practices, see the Use Cases for the Unified Rule Base and Creating a Basic Access Control Policy.