Wireless Access

Occasional Contributor I

policies most specific to less specific OR viceversa

Hi guys,



It is my first post here, and I am very excited :) 




AUBA says that GENERALLY (I like that) most specific policies should go on the TOP (as in any other firewall, we examine the rules TOP -> BOTTOM), and then the less specific rules, towarss the bottom.


On my last job, the security team told us to do the opposite (Palo Alto and IPtables firewalls), meaning, most general rules at the top, and less general rules at the bottom.


Both ways have upsides:

-  most specific rules first: We avoid checkin so many rules, therefore we reduce performance requirements.

- less specific rules first: I would say, that the sooner we kick a client out, the better, Meaning, we give less chances to hear to opened ports.



Commenst are very welcome :)



Guru Elite

Re: policies most specific to less specific OR viceversa

It is probably more about organization, than anything else.  You want it more specific to less specific so that you can easily understand if and why a rule is not working.  The rule evaluation is top to bottom, so they should be written from the most specific to less specific.  It is not really about what ports are opened or how soon you want to kick a client off..

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Valued Contributor II

Re: policies most specific to less specific OR viceversa

Hi Friend,


Policy execution method is similar in all the vendors. it is called as pyramid rule.on top of it, this rule is not to speedup the execution process rather to select the perfect one.


here is an example :


Suppose if we have to block a particular host ( Ex: in a subnet( /24) to access TFTP, we ca write the policy in two different ways,


1. IP access list extended 199 any any permit

IP access list extended 199 host any UDP 69 deny


2. IP access list extended 199 host any UDP 69 deny

IP access list extended 199 any any permit


Both policies looks very similar but execution is completely different, First one will not stop the host on accessing the TFTP because , first rule says anybody from the the subnet , can access any thing, host also part of the same subnet so it will be allowed, process will never check the next rule.


where as the second method is concern, we are denying the specific host therefore the host will be stopped accessing the TFTP, if any other host trying to access the TFTP, traffic will not match with the first rule so the process will execute the second rule.


bottom line is, Most specific ,means rule matching or filtering minimum hosts should come first. we should write the rules top to bottom in ascending order WRT the hosts that rule is filtering.


For your ref :





Please fee free for any further query on this.


Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Search Airheads
Showing results for 
Search instead for 
Did you mean: