Rule Placement Analysis

Over a period of time, security policy rules can become inefficient as rules become disorganized, causing some rules to become ineffective. This primarily occurs because of a lack of timely notification to end users when new rules are added that can adversely affect the other rules in the rule base.

Juniper Security Director Cloud addresses this problem by analyzing the rule placement and suggesting the correct rule placement to avoid the anomalies in the rules for a given policy.

Note:

You can enable the rule placement analysis when you create a security policy or edit an existing security policy.
Rule placement analysis suggestion is available only for newly created rules in a security policy.

Rule placement analysis identifies the security policy rules that contain the following issues:

Shadowing—Occurs when a rule higher in the order of the rule base matches with all the packets of a rule lower in the order of the rule base.
Redundancy—Occurs when two or more rules that perform the same action on the same packets along with the same settings or configurations.

The following list shows the rule placement analysis behavior for different types of security policy rules:

Exact match—If a newly created rule has identical values with an existing rules for Sources, Destination, Application/Services, and Action fields, then the new rule should be placed after an existing rule.
Exact match with different action—If a newly created rule is identical with an existing rules for Sources, Destination, Application/Services fields, with different Action, then the new rule should be placed before the existing rule.
New Rule is a subset of existing rule—If a newly created rule is a subset of an existing rule, then the new rule should be placed before an existing rule.
New Rule is a super set of existing rule—If a newly created rule is a super set of an existing rule, then the new rule should be placed after the existing rule.
Partial match—If a newly created rule is partially matching an existing rule, then the newly created rule should be placed above an existing rule.
No match or no overlap—If a newly created rule that has no overlap with the existing rules, then the newly created rule should be placed at the top of the existing rules.

The following table shows few examples of rule placement analysis for different types of rules:

Table 1: Examples of Rule Placement Analysis
Condition	Rule 1 (Existing)	Rule 2 (New)	Suggested Rule Placement
Exact match	Source: Any Destination: Any Application: App1 Action: Permit	Source: Any Destination: Any Application: App1 Action: Permit	Place Rule 2 after Rule 1.
Exact match with a different action	Source: Any Destination: Any Application: App1 Action: Permit	Source: Any Destination: Any Application: App1 Action: Deny	Place Rule 2 before Rule 1.
New Rule is a subset of existing rule	Source: Group-A( A1, A2,A3,A4) Destination: Any Service: S1 Action: Deny	Source: A1 Destination: Any Service: S1 Action: Deny	Place Rule 2 before Rule 1.
Rule 2 is super set of an existing rule	Source: A1 Destination: Any Service: S1 Action: Deny	Source: Group-A( A1, A2,A3,A4) Destination: Any Service: S1 Action: Deny	Place Rule 2 after Rule 1.
Partial match	Source: Any Destination: Any Service: Group-S( S1, S2, S3) Application: App1 Action: Permit	Source: Any Destination: Any Service: S1 Application: Group-A (App1, App2) Action: Permit	Place Rule 2 before Rule 1.
No match or no overlap	Source: 172.16.1.0/8 Destination: Any Service: S1 Application: App1 Action: Deny	Source: Any Destination: 10.0.0.1/8 Service: S2 Application: App2 Action: Permit	Place Rule 2 before Rule 1.

Rule Placement Analysis

Related Documentation