Security Policy Precedence

Before configuring rules for the security policy, ensure you understand the precedence order that Infoblox Threat Defense uses to apply security policies. The precedence order determines the priority of the policy rules and security policies, and how the system evaluates them.

A security policy with precedence order 1 has the highest priority in the evaluation. If you do not set precedence for a policy, the system will set the policy as the last one in the precedence order. You can configure the precedence for each individual policy rule within a security policy, as well as for each security policy. It is important to understand the ramification of ranking one policy rule over the other.

Key Considerations for Configuring Policy Precedence:

1. DNS Forwarding Proxy and External Network Policies:

   • If a DNS forwarding proxy resides in an external network and the policy for the external network has a higher precedence than the DNS forwarding proxy policy, the system applies the external network policy.

   • To apply the DNS forwarding proxy policy, place it at a higher precedence than the external network policy.

2. System Upgrade and Policy Changes:

   • During system upgrades, additional policies may be created to ensure consistent behavior if the new precedence feature results in referencing a different DNS security policy than before the upgrade. In such cases, the additional policies ensure that the behavior of the policy is the same as before the upgrade.

   • The creation of additional policies applies in situations where a customer account has multiple policies associated with both the Infoblox Endpoint groups and external networks, or multiple policies associated with both DNS forwarding proxy and external networks. The upgrade procedure automatically clones a subset of these policies and turns them into new policies associated with external networks only. These new policies are named according to the following naming scheme: <original policy name>-networks-only.

3. Policy Using Tags:

   • When defining a policy using tags, if the Default Global Policy has higher precedence than a custom policy with network scopes defined based on tags, then the Default Global Policy will continue to work because its precedence is higher than the custom policy. For a custom policy with network scope defined based on tags to work, it should have higher precedence than the Default Global Policy. For information on applying tags to Infoblox Threat Defense objects, see Applying Tags.

Recommended Precedence Order

Infoblox Threat Defense enforces security policies based on an ascending precedence order, where the policy rule with the lowest precedence number (1) has the highest priority in the evaluation process. This precedence order determines how security policy rules are executed.

Recommended Precedence Order for Executing Rules:

1. Default Lists

2. Custom Lists

3. Feeds and Threat Insights

4. Category Filters

5. Application Filters

Although this order is recommended, organizations have the flexibility to define and modify the precedence order to meet their specific security requirements.

Importance of Setting Precedence Order:

The flexibility to configure precedence order allows you to control the evaluation of policy rules. However, it is crucial to understand the implications of ranking one policy rule or policy higher than another to ensure desired behavior across your network. When creating rules for a security policy, do keep precedence order in mind. 

For additional information about setting precedence order, see Adding Policy Rules and Setting Precedence.