Before you configure rules for the security policy, ensure that you understand the precedence order that BloxOne Threat Defense Cloud uses to apply security policies. The precedence order determines the priority of the policy rules and security policies, and how the system evaluates them. Policies with precedence order 1 has the highest priority in the evaluation. If you do not set precedence for a policy, the system will set the policy as the last one in the precedence order. In the latest BloxOne Threat Defense Cloud release, you can configure the precedence for each individual policy rule within a security policy, as well as for each security policy.
The following are some information you should consider when configuring policy precedence:
- In previous BloxOne Threat Defense releases, BloxOne Endpoint groups and DNS forwarding proxy had implicit precedence over external networks. In the latest release however, the evaluation process has changed. For example, in the new release, if a DNS forwarding proxy is located in an external network and the policy for the external network has a higher precedence than the DNS forwarding policy, the external network policy will be applied. To apply the DNS forwarding proxy policy, you must now place it at a higher precedence than the external network policy.
- During system upgrade, the upgrade procedure may create additional policies in situations where the new precedence feature may result in referencing a DNS security policy that is different than the policy that would have been referenced before the upgrade. In such cases, the additional polices ensure that the behavior of the policy is the same as the behavior before the upgrade. The creation of additional policies is applicable in situations where a customer account has multiple policies associated with both the BloxOne Endpoint groups and external networks, or multiple policies associated with both DNS forwarding proxy and external networks. In such cases, the upgrade procedure automatically clones a subset of these policies and turn them into new policies, associated with external networks only. These new policies are named according to the following naming scheme: <original policy name>-networks-only.
- Since you now have the flexibility to determine the precedence order, it is important that you understand the ramification of ranking one policy rule over the other.
For information about how to set precedence order, see Adding Policy Rules and Setting Precedence.
This page has no comments.