LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is Top-Down rule evaluation in Palo Alto policies, and why must specific rules be placed above general ones?

Top-Down means the firewall checks rules from the first one to the last, applying the first one that matches. The rest are not evaluated. If a broad "Allow any → any" rule sits above a specific "Deny attacker_subnet → bank_subnet" rule, the specific rule never fires — it's "in the shadow" of the broader rule.

The mechanism:

Packet arrives
   ↓
Rule 1 — does packet match?
   yes → apply action, STOP
   no → continue
   ↓
Rule 2 — does packet match?
   yes → apply action, STOP
   no → continue
   ...
   ↓
Default rule (catch-all)

The shadow rule example:

Wrong order:                              Right order:
Rule 1: Allow any → any → any  ✗          Rule 1: Deny attacker → bank  ✓
Rule 2: Deny attacker → bank             Rule 2: Allow any → any → any
        (never reached!)                          (catch-all)

In the wrong order, every packet matches Rule 1 first, so the deny is never evaluated.

The "specific to general" principle:

Specificity level Example
Most specific One IP → one IP → one port
Subnet → host → service
Zone → zone → service
Any zone → zone → any service
Most general Any → any → any (catch-all)

Always order top-to-bottom from most specific to most general.

Why this discipline matters for security:

The default catch-all in a default-deny system is interzone-default: Deny any. Your specific allow rules go above it. If you accidentally place a broad allow above a specific deny:

Rule 1: Allow Inside → Internet → any        ← matches everything outbound
Rule 2: Deny Inside → bittorrent_sites → any ← shadowed, never blocks

Your "block BitTorrent" rule does nothing. Worse, it looks correct in the rule list — only careful order analysis reveals the problem.

A key reminder:

"Es ist also wichtig, sehr spezifische Regeln oben zu definieren und sehr allgemein gehaltene unten."

Tools for spotting shadow rules:

Tool What it does
Palo Alto: Policy Optimizer Highlights unused rules (often = shadowed)
show running rule-use rule "X" Counter for how often a rule fires
Manual review Read top-down from the perspective of a sample packet

If a rule's hit counter is 0 after weeks of traffic, it's either unnecessary or shadowed.

Tip: Make rule order reviews part of your firewall change process. After every rule addition, ask: "Which existing rules might this rule shadow, or be shadowed by?" Most production firewall misconfigurations come from rules added without considering interaction with existing rules.

Go deeper:

From Quiz: INTROL / Firewall Basics Lab (Palo Alto PA-440) | Updated: Jul 14, 2026