Evaluation order of panorama pushed security policies
Resolution
Pre-rules—Rules that are added to the top of the rule order and are evaluated first. You can use pre-rules
to enforce the Acceptable Use Policy for an organization; for example, to block access to specific URL
categories, or to allow DNS traffic for all users. Pre-rules can be of two types: Shared pre-rules that are
shared across all managed devices and Device Groups, and Device Group pre-rules that are specific to a
Device Group.
Post-rules—Rules that are added at the bottom of the rule order and are evaluated after the pre-rules and
the rules locally defined on the device. Post-rules typically include rules to deny access to traffic based on
the App-ID, User-ID, or Service. Like pre-rules, post rules are also of two types: Shared post-rules that are
shared across all managed devices and Device Groups, and Device Group post-rules that are specific to a
Device Group
The evaluation order of the rules is:
When the traffic matches a policy rule, the defined action is triggered and all subsequent policies are disregarded.
This ability to layer policies, creates a hierarchy of rules where local policies are placed between the pre- and
post-rules, and can be edited by switching to the local firewall context, or by accessing the device locally. This
cascade of rules is visually demarcated for each device group (and managed device), and provides the ability to
scan through a large numbers of rules
Pre-rules and post-rules pushed from Panorama can be viewed on the managed firewalls, but they can only be
edited in Panorama. Local device rules can be edited by either the local administrator or a Panorama
administrator who has switched to a local firewall context.