Precedence Rules for Security Policies
- Gary Leicht
- Alex Mandel
Precedence Order
Application filtering: When Local On-prem Resolution is enabled, application filters take priority when executing rules governing precedence order.
Infoblox Threat Defense enforces security policies in an ascending precedence order in which the policy rule with the lowest precedence order has the highest priority in the evaluation process. The recommended precedence order for rules in a security policy is as follows:
Default Lists
Custom Lists
Feeds and Threat insights
Category Filters
Application Filters
While the above precedence order is recommended, the decision of precedence order is determined by the organization. When creating rules for a security policy, do keep precedence order in mind.
Precedence reordering: You can reorder security policy rules precedence using drag-and-drop functionality. Click on the policy rule to be reordered on the Policy Rules page and drag it to its new location. Repeat the process as necessary until all policy rules precedence have been reordered as required.
Precedence order considerations when defining a policy-based on tags: If the Default Global Policy has higher precedence than a custom policy having network scopes defined based on tags, then the Default Global Policy will continue to work because its precedence is higher than the custom policy. For a custom policy having network scope defined based on tags to work, it should have higher precedence than the Default Global Policy.
Default Policy Rules shown with precedence order - shown as an example
General Rules:
Apart from the Default & Custom section section - Block feeds should be listed above Allow feeds.
Within each Block or Allow Section - feeds are listed based on confidence (High, Med, then Low).
Table legend | High Confidence feed |
| Medium Confidence feed |
| Low Confidence feed |
Feed | Default Action | Precedence | Section |
Default Allow | ALLOW - No Log | 1 | Default Section |
Default Block | BLOCK - No Redirect | 2 | |
| |||
Infoblox Base | BLOCK - No Redirect | 3 | Block Section |
Infoblox Base IP | BLOCK - No Redirect | 4 | |
Infoblox High Risk | BLOCK - No Redirect | 5 | |
Threat Insight - Zero Day DNS | BLOCK - No Redirect | 6 | |
Infoblox Medium Risk | BLOCK - No Redirect | 7 | |
| |||
Infoblox Low Risk | ALLOW - With Log | 8 | Allow Section |
Infoblox Informational | ALLOW - With Log | 9 | |
Threat Insight - DGA | ALLOW - With Log | 10 | |
Threat Insight - Data Exfiltration | ALLOW - With Log | 11 | |
Threat Insight - DNS Messanger | ALLOW - With Log | 12 | |
Threat Insight - Notional Data Exfiltration | ALLOW - With Log | 13 | |
| |||
Bogon | Not Included |
| Policy Rules: (user can add these with corresponding action - per their policy) |
Cryptocurrency hostnames and domains | Not Included |
| |
TOR Exit Node IPs | Not Included |
| |
DHS_AIS_IP | Not Included |
| |
DHS_AIS | Not Included |
| |
EECN IPs | Not Included |
| |
US_OFAC_Sanctions_IP_Med | Not Included |
| |
US_OFAC_Sanctions_IP_High | Not Included |
| |
US_OFAC_Sanctions_IP_Embargoed | Not Included |
| |
Farsight Newly Observed Domains (NOD) | Not Included |
| |
Proofpoint ETIQRisk Hostname | Not Included |
| |
Proofpoint ETIQRisk IP | Not Included |
| |
Default Policy Rules with content and application categorization rules shown with precedence order - shown as an example
General Rules:
Apart from the Default & Custom section section - Block feeds should be listed above Allow feeds.
Within each Block or Allow Section - feeds are listed based on confidence (High, Med, then Low).
Table legend | High Confidence feed |
| Medium Confidence feed |
| Low Confidence feed |
Feed | Default Action | Precedence |
|
Default Allow | ALLOW - No Log | 1 | Default and Custom (if any) Section |
Default Block | BLOCK - No Redirect | 2 | |
Custom List (if any manually configured) | BLOCK - No Redirect | 3 | |
| |||
Infoblox Base | BLOCK - No Redirect | 4 | Block Section |
Infoblox Base IP | BLOCK - No Redirect | 5 | |
Infoblox High Risk | BLOCK - No Redirect | 6 | |
Threat Insight - Zero Day DNS | BLOCK - No Redirect | 7 | |
Infoblox Medium Risk | BLOCK - No Redirect | 8 | |
Categorization filter (if any manually configured) | BLOCK - No Redirect | 9 | |
Application filter (if any manually configured) | BLOCK - No Redirect | 10 | |
| |||
Infoblox Low Risk | ALLOW - With Log | 11 | Allow Section |
Infoblox Informational | ALLOW - With Log | 12 | |
Threat Insight - DGA | ALLOW - With Log | 13 | |
Threat Insight - Data Exfiltration | ALLOW - With Log | 14 | |
Threat Insight - DNS Messenger | ALLOW - With Log | 15 | |
Threat Insight - Notional Data Exfiltration | ALLOW - With Log | 16 | |
Categorization filter (if any manually configured) | ALLOW - With Log | 17 | |
Application filter (if any manually configured) | ALLOW - With Log | 18 | |