PAN-OS: Differentiating Pre-Rules, Local Rules, Default Rules, and Post-Rules

PCNSE Objective Focus (Domain 4 - 18%)

4.2 Configure device groups

Introduction: Policy Evaluation Order Matters

When managing firewalls with Panorama, understanding the precise order in which different types of policy rules are evaluated is absolutely critical for ensuring correct traffic handling and security enforcement. A firewall managed by Panorama effectively combines rules from multiple sources:

Panorama provides structure through Pre-rules and Post-rules within Device Groups and Shared scope to control precedence. This guide differentiates the use cases for each rule type within this evaluation hierarchy.

Overall Rule Evaluation Order (Firewall Perspective)

When a packet requiring a policy decision hits a Panorama-managed firewall, the rules are checked in this strict order across *all applicable policy types* (Security, NAT, Decryption, QoS, PBF, etc., although Default rules are specific to Security Policy): 

    graph TD
        Start[Packet Arrives] --> SharedPre(Shared Pre-Rules);
        SharedPre --> ParentPre(Parent DG Pre-Rules
Top-down in Hierarchy);
        ParentPre --> ChildPre(Child DG Pre-Rules);
        ChildPre --> LocalFW(Local Firewall Rules);
        LocalFW --> ChildPost(Child DG Post-Rules);
        ChildPost --> ParentPost(Parent DG Post-Rules
Bottom-up in Hierarchy);
        ParentPost --> SharedPost(Shared Post-Rules);
        SharedPost --> DefaultSec(Default Security Rules
Intra/Interzone - For Security Policy ONLY);
        DefaultSec --> FinalAction[Final Action Determined];
        LocalFW -- First Match --> FinalAction;
        ChildPre -- First Match --> FinalAction;
        ParentPre -- First Match --> FinalAction;
        SharedPre -- First Match --> FinalAction;
        ChildPost -- First Match --> FinalAction;
        ParentPost -- First Match --> FinalAction;
        SharedPost -- First Match --> FinalAction;


        style Start fill:#e9ecef,stroke:#adb5bd
        style FinalAction fill:#e9ecef,stroke:#adb5bd
        style LocalFW fill:#fdebd0,stroke:#f5b041,stroke-width:2px
        style DefaultSec fill:#eaf2f8,stroke:#aed6f1,stroke-width:2px
Firewall Policy Evaluation Order (Simplified). The first rule matched determines the action.
  1. Shared Pre-rules
  2. Parent Device Group Pre-rules (processed from highest ancestor down to immediate parent)
  3. Child Device Group Pre-rules (the specific group the firewall belongs to)
  4. Local Firewall Rules (if any exist and are not overridden)
  5. Child Device Group Post-rules
  6. Parent Device Group Post-rules (processed from immediate parent up to highest ancestor)
  7. Shared Post-rules
  8. Default Security Rules (ONLY for Security Policy lookup if no prior rule matched)

The first rule in this sequence that matches the traffic determines the action taken. No further rules *in that specific policy type* (e.g., Security) are evaluated for that session.

1. Pre-Rules (Panorama Shared / Device Group)

Definition:

Rules configured in the "Pre Rules" section within Panorama's Shared scope or any Device Group.

Evaluation Point:

FIRST - Before any Local Firewall rules and before any Post-rules.

Primary Use Cases:

Characteristics:

2. Local Firewall Rules

Definition:

Policy rules configured directly on the individual firewall's GUI or CLI, *not* pushed from Panorama Templates or Device Groups.

Evaluation Point:

MIDDLE - After ALL Pre-rules (from Shared down to the Child DG) have been evaluated, but before ANY Post-rules are evaluated.

Primary Use Cases:

Characteristics:

3. Default Security Rules

Definition:

Two implicit, non-configurable rules that exist at the very bottom of the Security Policy rulebase only.

Evaluation Point:

ABSOLUTE LAST (for Security Policy) - Only evaluated if NO other Security Policy rule (Shared Pre, DG Pre, Local, Child DG Post, Parent DG Post, Shared Post) matches the traffic.

Rules & Actions:

Primary Use Cases:

Characteristics:

4. Post-Rules (Panorama Shared / Device Group)

Definition:

Rules configured in the "Post Rules" section within Panorama's Shared scope or any Device Group.

Evaluation Point:

LATE - After all Pre-rules and Local Firewall rules, but before the Default Security rules.

Primary Use Cases:

Characteristics:

Comparison Summary

Rule Type Use Case Comparison

Rule Type Evaluation Point Primary Use Case Managed Via
Pre-Rule (DG/Shared) Early (Before Local) Global blocks, universal infrastructure allows, high-precedence enforcement Panorama
Local Rule Middle (After Pre, Before Post) Device-specific exceptions, troubleshooting (use with caution) Firewall GUI/CLI
Post-Rule (DG/Shared) Late (After Local, Before Default) Cleanup rules (explicit deny all w/ logging), broad/fallback allow rules Panorama
Default Rule (Security Only) Absolute Last Implicit allow within zone, implicit deny between zones (if no other rule matches) Built-in (Not Configurable)

PCNSE Exam Focus

For the PCNSE exam, make sure you can:

Policy Rule Order Quiz

1. In a Panorama-managed firewall, which set of rules is evaluated FIRST for a new session?

The evaluation starts at the highest level (Shared) with the Pre-rules.

2. What is the primary purpose of configuring rules in the Post-rule section of a Device Group?

Post-rules are evaluated late in the sequence (before Default Security rules), making them ideal for explicit cleanup actions or broad fallback policies.

3. What is the action of the implicit `interzone-default` Security Policy rule?

The `interzone-default` rule, evaluated last for Security Policy, denies traffic flowing between different security zones if no other rule explicitly allows it.

4. If a specific "Allow" rule exists in the Local Firewall configuration, can it be blocked by a "Deny" rule configured in the Post-rules section of its Device Group?

The evaluation order is strict: Pre-rules -> Local Rules -> Post-rules. If a Local rule allows traffic, but a subsequent Post-rule (from the Child DG, Parent DGs, or Shared) matches and denies it, the traffic will be denied.

5. Which rule type is typically used to implement a universal block for known malicious domains using an EDL across all managed firewalls?

To ensure a block applies universally and takes precedence early, configuring it in the Pre-rules section of the Shared scope is the most appropriate location.

6. What is the action of the implicit `intrazone-default` Security Policy rule?

The `intrazone-default` rule allows traffic flowing within the same security zone (e.g., Trust to Trust) if no other explicit rule matches it.

7. An administrator adds a rule directly to a firewall managed by Panorama for temporary troubleshooting. Where does this rule fit in the evaluation order?

Local firewall rules sit between the Pre-rule evaluation block and the Post-rule evaluation block.

8. Why is enabling logging on an explicit "deny any any" rule in the Post-rules section considered a best practice?

The implicit default rules do not log matches. An explicit deny rule in the Post-rules allows you to enable logging, providing valuable visibility into traffic that is being dropped because it wasn't explicitly allowed by rules higher up.

9. A Security Policy rule allowing 'web-browsing' is placed in the Post-rules section of a Device Group. When will this rule apply?

Placing broad allow rules like general web browsing in Post-rules acts as a fallback. It allows the traffic only if more specific rules (potentially allowing or denying specific web apps or categories) placed earlier in the evaluation sequence (Pre or Local) did not match.

10. Do the Default Security rules (`intrazone-default`, `interzone-default`) apply to NAT Policy evaluation?

The intrazone/interzone default rules are implicit actions specifically for the *Security Policy* rulebase. Other policy types like NAT, Decryption, QoS, etc., have their own evaluation logic and do not use these specific default rules.

References