SRX

Hi All,

So I have asked support this and not gotten a clear answer.  If I bring Cloud ATP and SecIntel into play, how would you mange the rules order.  Here is an example.

Lets say you want to have a rule that only permits http and https. The next rule would be a deny any, any.  So we have blocked all traffic except web traffic.

Now we add SecIntel with a rule to block Command and Control.  The docs have the SecIntel rule as this.

 policy secintel {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            ssl-proxy;
                            security-intelligence-policy secintel_policy;

The question is should this rule be before the explicit rule or after?  If it is before does then then allow any protocols?  If I put it after, will all bad sites from the feed be missed.

What would be the best placement or is the solution to change the application to http and https on the SecIntel rule and then remove the explicit rule.

I hope that makes sense. The goal is to use the feeds to block bad sites but still only allow required services.

Thanks

------------------------------
TODD YOUNGBAUER
------------------------------

Yes, you already figured out the solution there at the end.

------------------------------
Nikolay Semov

Original Message:
Sent: 02-05-2025 10:10
From: TODD YOUNGBAUER
Subject: Policy order and design with Cloud ATP

Hi All,

So I have asked support this and not gotten a clear answer.  If I bring Cloud ATP and SecIntel into play, how would you mange the rules order.  Here is an example.

Lets say you want to have a rule that only permits http and https. The next rule would be a deny any, any.  So we have blocked all traffic except web traffic.

Now we add SecIntel with a rule to block Command and Control.  The docs have the SecIntel rule as this.

 policy secintel {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            ssl-proxy;
                            security-intelligence-policy secintel_policy;

The question is should this rule be before the explicit rule or after?  If it is before does then then allow any protocols?  If I put it after, will all bad sites from the feed be missed.

What would be the best placement or is the solution to change the application to http and https on the SecIntel rule and then remove the explicit rule.

I hope that makes sense. The goal is to use the feeds to block bad sites but still only allow required services.

Thanks

------------------------------
TODD YOUNGBAUER
------------------------------

Hi All,

So I have asked support this and not gotten a clear answer.  If I bring Cloud ATP and SecIntel into play, how would you mange the rules order.  Here is an example.

Lets say you want to have a rule that only permits http and https. The next rule would be a deny any, any.  So we have blocked all traffic except web traffic.

Now we add SecIntel with a rule to block Command and Control.  The docs have the SecIntel rule as this.

 policy secintel {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            ssl-proxy;
                            security-intelligence-policy secintel_policy;

The question is should this rule be before the explicit rule or after?  If it is before does then then allow any protocols?  If I put it after, will all bad sites from the feed be missed.

What would be the best placement or is the solution to change the application to http and https on the SecIntel rule and then remove the explicit rule.

I hope that makes sense. The goal is to use the feeds to block bad sites but still only allow required services.

Thanks

place it in the rule that allows http/https traffic, not the deny all

Hi All,

So I have asked support this and not gotten a clear answer.  If I bring Cloud ATP and SecIntel into play, how would you mange the rules order.  Here is an example.

Lets say you want to have a rule that only permits http and https. The next rule would be a deny any, any.  So we have blocked all traffic except web traffic.

Now we add SecIntel with a rule to block Command and Control.  The docs have the SecIntel rule as this.

 policy secintel {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            ssl-proxy;
                            security-intelligence-policy secintel_policy;

The question is should this rule be before the explicit rule or after?  If it is before does then then allow any protocols?  If I put it after, will all bad sites from the feed be missed.

What would be the best placement or is the solution to change the application to http and https on the SecIntel rule and then remove the explicit rule.

I hope that makes sense. The goal is to use the feeds to block bad sites but still only allow required services.

Thanks