Policy Rank: Absolute, Default, and Catch-All

Policy rank determines whether a policy is overridden by a more specific policy lower in the priority list (or in a scope lower in the scope tree). The lowest priority policy in every scope is always the Catch-all rule.

Policy Rank	Description
Absolute	Absolute policies take effect even if they contradict application-specific policies lower in the policy list (and thus, lower priority) or in scopes lower in the scope tree. Generally, use Absolute policies to enforce best practices, protect different zones, or quarantine-specific workloads. For example, use absolute policies to control traffic to DNS or NTP servers, or to meet regulatory requirements. Absolute policies are listed above default policies in the policy priority list.
Default	Default policies can be overridden by policies lower in the policy list or in scopes lower in the scope tree. Generally, fine-grained policies are Default policies. Default policies are listed below absolute policies in the policy priority list.
Catch-All	Each workspace has a catch-all policy that handles traffic in each direction that does not match any explicitly specified policies in the workspace. The catch-all action can be Allow or Deny. In general, set the Catch-All policy as follows: Allow traffic in scopes higher in the scope tree, so that policies in scopes lower in the tree can evaluate the traffic. Deny traffic at the most specific leaf at the bottom of the scope tree. This gives policies in all scopes in the tree the opportunity to match the traffic, while blocking traffic that does not match any policy in any scope. The catch-all rule is applied to all interfaces on each workload in the workspace.

Policy Rank

Description

Absolute

Absolute policies take effect even if they contradict application-specific policies lower in the policy list (and thus, lower priority) or in scopes lower in the scope tree. Generally, use Absolute policies to enforce best practices, protect different zones, or quarantine-specific workloads. For example, use absolute policies to control traffic to DNS or NTP servers, or to meet regulatory requirements.

Absolute policies are listed above default policies in the policy priority list.

Default

Default policies can be overridden by policies lower in the policy list or in scopes lower in the scope tree. Generally, fine-grained policies are Default policies.

Default policies are listed below absolute policies in the policy priority list.

Catch-All

Each workspace has a catch-all policy that handles traffic in each direction that does not match any explicitly specified policies in the workspace. The catch-all action can be Allow or Deny.

In general, set the Catch-All policy as follows:

Allow traffic in scopes higher in the scope tree, so that policies in scopes lower in the tree can evaluate the traffic.
Deny traffic at the most specific leaf at the bottom of the scope tree.

This gives policies in all scopes in the tree the opportunity to match the traffic, while blocking traffic that does not match any policy in any scope.

The catch-all rule is applied to all interfaces on each workload in the workspace.

Previous topic Policy Attributes Next topic Policy Inheritance and the Scope Tree