Evaluation order of panorama pushed security policies

Pre-rules—Rules that are added to the top of the rule order and are evaluated first. You can use pre-rules

to enforce the Acceptable Use Policy for an organization; for example, to block access to specific URL

categories, or to allow DNS traffic for all users. Pre-rules can be of two types: Shared pre-rules that are

shared across all managed devices and Device Groups, and Device Group pre-rules that are specific to a

Device Group.

Post-rules—Rules that are added at the bottom of the rule order and are evaluated after the pre-rules and

the rules locally defined on the device. Post-rules typically include rules to deny access to traffic based on

the App-ID, User-ID, or Service. Like pre-rules, post rules are also of two types: Shared post-rules that are

shared across all managed devices and Device Groups, and Device Group post-rules that are specific to a

Device Group

The evaluation order of the rules is:

When the traffic matches a policy rule, the defined action is triggered and all subsequent policies are disregarded.

This ability to layer policies, creates a hierarchy of rules where local policies are placed between the pre- and

post-rules, and can be edited by switching to the local firewall context, or by accessing the device locally. This

cascade of rules is visually demarcated for each device group (and managed device), and provides the ability to

scan through a large numbers of rules

Pre-rules and post-rules pushed from Panorama can be viewed on the managed firewalls, but they can only be

edited in Panorama. Local device rules can be edited by either the local administrator or a Panorama

administrator who has switched to a local firewall context.