What is Top-Down rule evaluation in Palo Alto policies, and why must specific rules be placed above general ones?
Top-Down means the firewall checks rules from the first one to the last, applying the first one that matches. The rest are not evaluated. If a broad "Allow any → any" rule sits above a specific "Deny attacker_subnet → bank_subnet" rule, the specific rule never fires — it's "in the shadow" of the broader rule.
The mechanism:
Packet arrives
↓
Rule 1 — does packet match?
yes → apply action, STOP
no → continue
↓
Rule 2 — does packet match?
yes → apply action, STOP
no → continue
...
↓
Default rule (catch-all)
The shadow rule example:
Wrong order: Right order:
Rule 1: Allow any → any → any ✗ Rule 1: Deny attacker → bank ✓
Rule 2: Deny attacker → bank Rule 2: Allow any → any → any
(never reached!) (catch-all)
In the wrong order, every packet matches Rule 1 first, so the deny is never evaluated.
The "specific to general" principle:
| Specificity level | Example |
|---|---|
| Most specific | One IP → one IP → one port |
| ↓ | Subnet → host → service |
| ↓ | Zone → zone → service |
| ↓ | Any zone → zone → any service |
| Most general | Any → any → any (catch-all) |
Always order top-to-bottom from most specific to most general.
Why this discipline matters for security:
The default catch-all in a default-deny system is interzone-default: Deny any. Your specific allow rules go above it. If you accidentally place a broad allow above a specific deny:
Rule 1: Allow Inside → Internet → any ← matches everything outbound
Rule 2: Deny Inside → bittorrent_sites → any ← shadowed, never blocks
Your "block BitTorrent" rule does nothing. Worse, it looks correct in the rule list — only careful order analysis reveals the problem.
A key reminder:
"Es ist also wichtig, sehr spezifische Regeln oben zu definieren und sehr allgemein gehaltene unten."
Tools for spotting shadow rules:
| Tool | What it does |
|---|---|
| Palo Alto: Policy Optimizer | Highlights unused rules (often = shadowed) |
show running rule-use rule "X" |
Counter for how often a rule fires |
| Manual review | Read top-down from the perspective of a sample packet |
If a rule's hit counter is 0 after weeks of traffic, it's either unnecessary or shadowed.
Tip: Make rule order reviews part of your firewall change process. After every rule addition, ask: "Which existing rules might this rule shadow, or be shadowed by?" Most production firewall misconfigurations come from rules added without considering interaction with existing rules.
Go deeper:
Create a Security Policy Rule (Palo Alto) — first-match-wins and the specific-before-general ordering that defines shadow rules.