What is the best practice for deny rules? On top or On bottom?

Forum|Forum|9 years ago
August 29, 2016
1 reply
5246 views

Hi, we have couple of deny rules that deny certain ip addresses (lot of them) and services, for example for trust to untrust, and then deny and logging. So we wonder if put that rule on top will cause more memory used, or we should put it on the bottom?

MikePruett

New Member

I place my blocks at the top. Would rather have them filtered out and removed before they even get to the UTM side of things.

ede_pfau

SuperUser

To do it predictably and robustly (?) you order policies from most specific to least specific. That is, if your deny rule is 'all services from all to all', putting it on top of the list will block everything, even trusted traffic. OTOH, putting 'deny traffic for service xyz from source abc to destination ghi' at the end while there is a more common policy above allowing this (among other traffic), you won't see any effect.

So, in short, policies with the most specific specifiers on top, and the more general the specs are, the lower in the list.

@Mike can put DENY policies on top of his list with good results probably because DENY policies are often very specific - one single service, one single evil host etc. Just to counter the impression that grouping DENY and ACCEPT policies is a cosmetic issue only.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded