Document toolboxDocument toolbox

Security Policy Precedence

Owned by Gary Leicht
Last updated: Sept 06, 2024
2 min read

Before you configure rules for the security policy, ensure that you understand the precedence order that Infoblox Threat Defense uses to apply security policies. The precedence order determines the priority of the policy rules and security policies, and how the system evaluates them. The security policy with precedence order 1 has the highest priority in the evaluation. If you do not set precedence for a policy, the system will set the policy as the last one in the precedence order. You can configure the precedence for each individual policy rule within a security policy, as well as for each security policy.

The following are some information you should consider when configuring policy precedence:

  • In previous Infoblox Threat Defense releases, Infoblox Endpoint groups and DNS forwarding proxy had implicit precedence over external networks. In the latest release however, the evaluation process has changed.  For example, in the new release, if a DNS forwarding proxy is located in an external network and the policy for the external network has a higher precedence than the DNS forwarding policy, the external network policy will be applied. To apply the DNS forwarding proxy policy, you must now place it at a higher precedence than the external network policy.
  • During system upgrade, the upgrade procedure may create additional policies in situations where the new precedence feature may result in referencing a DNS security policy that is different than the policy that would have been referenced before the upgrade. In such cases, the additional polices ensure that the behavior of the policy is the same as the behavior before the upgrade. The creation of additional policies is applicable in situations where a customer account has multiple policies associated with both the Infoblox Endpoint groups and external networks, or multiple policies associated with both DNS forwarding proxy and external networks. In such cases, the upgrade procedure automatically clones a subset of these policies and turn them into new policies, associated with external networks only. These new policies are named according to the following naming scheme: <original policy name>-networks-only.
  • When defining a policy using tags, if the Default Global Policy has higher precedence than a custom policy having network scopes defined based on tags, then the Default Global Policy will continue to work because its precedence is higher than the custom policy. For a custom policy having network scope defined based on tags to work, it should have higher precedence than the Default Global Policy. For information on applying tags to Infoblox Threat Defense objects, see Applying Tags.
  • Since you now have the flexibility to determine the precedence order, it is important that you understand the ramification of ranking one policy rule over the other. 

For information about how to set precedence order, see Adding Policy Rules and Setting Precedence.