On a firewall managed by Panorama, the Security policy rulebase is a composite of rules pushed from Panorama and rules configured locally on the firewall. The firewall's policy engine evaluates these rules in a specific, non-configurable order. Panorama pre-rules are always evaluated first. If no match is found, the firewall proceeds to evaluate its local rules. If there is still no match, it then evaluates the Panorama post-rules. This hierarchical structure allows central administrators to enforce universal security policies (pre-rules) and default cleanup policies (post-rules) while still permitting local administrators to create device-specific rules in between.

A. Firewall policy evaluation stops on the first rule that matches the session's traffic. If a local rule matches, subsequent rules, including any post-rules, are not processed for that session.

C. The order of evaluation (Pre-rules -> Local rules -> Post-rules) is a fixed architectural principle of the PAN-OS and Panorama integration. It cannot be altered for troubleshooting or any other reason.

D. While device groups determine which policies are pushed to a firewall, they do not alter the fundamental, built-in logic of how the firewall evaluates the pre-rule, local, and post-rule sections.

1. Palo Alto Networks Panorama Administrator's Guide 10.2: In the section "Policies

" under "Policy Rulebase

" the documentation states

"When you push policies from Panorama to a managed firewall

the firewall evaluates the rules in the following order: Pre-rules

Local firewall rules

Post-rules... The firewall evaluates rules in order and the first rule that matches the traffic is applied." (Reference: Policies > Policy Rulebase section).

2. Palo Alto Networks Panorama Administrator's Guide 11.0: The section "Manage Policies Using Device Groups" explicitly details the rule hierarchy. It explains

"Pre-rules are added before the local firewall rules and post-rules are added after. This allows you to create a policy structure where some rules are always processed before others." (Reference: Device Groups > Manage Policies Using Device Groups).

3. Palo Alto Networks

"Day in the Life of a Packet

" White Paper: This document describes the packet flow logic within the firewall. It confirms that policy lookup is a sequential

top-down process. Once a matching security policy rule is found

the defined action is taken

and the policy lookup for that session concludes

reinforcing that post-rules would not be checked after a local rule match. (Reference: Section on "Policy Lookup").