Overview

Correct firewall rule design and ordering are critical for accurate traffic classification, predictable security behavior, and optimal performance in Versa NGFW. This article outlines best practices for ordering firewall rules and effectively combining Layer 3/4 and Layer 7 policies.





1. Rule Ordering: Specific Before General

    Firewall rules are evaluated top-down, and the first matching rule is applied. Therefore, rule order directly impacts policy enforcement.


    Best Practices

  • Place highly specific rules above more generic rules.

  • Application- or destination-specific allow rules should precede broader deny rules.

  • Avoid placing blanket deny rules too high, as they may unintentionally block legitimate traffic.

    Example

  • An explicit rule allowing GitHub traffic should be placed above a general rule denying HTTPS traffic.

  • This ensures GitHub traffic is matched and allowed before the broader deny condition is evaluated.




2. No Requirement to Allow Entire Application Families

    Versa NGFW performs application-level inspection and does not require explicit permission for an entire application family when allowing a single application.


    Key Points

  • Policies are enforced based on the exact application identified, not the broader family.

  • Allowing one application does not implicitly allow other applications within the same family.

  • This enables granular control without over-permitting traffic.

    Example

  • If one rule allows YouTube while another rule denies HTTPS, the NGFW will correctly apply the YouTube-specific rule.

  • There is no requirement to allow the full YouTube application family for the rule to function.



3. Balancing Layer 3/4 and Layer 7 Firewall Rules

     Versa firewall policies can match traffic at both the network/transport layer (L3/L4) and the application layer (L7).Proper placement of these rules improves efficiency and clarity.


     L3/L4 Rules

  • Match on IP addresses, ports, protocols, and zones.

  • Can be evaluated on the first packet, making them faster.

  • Recommended for:

    • Infrastructure traffic

    • Broad allow/deny conditions

    • Performance-critical paths


     L7 Rules

  • Match based on application identification.

  • Require traffic inspection beyond the first packet.

  • Recommended when:

    • Application-level control is required

    • Differentiating traffic over the same port (e.g., HTTPS)




Best Practice Guidance

  • Place L3/L4 rules higher when performance is the priority.

  • Place L7 rules above L3/L4 rules when application-level precision is required.

  • Design policies with a balance between speed (performance) and granularity (security accuracy).