Policy Chain

The policy chain is the final, ordered configuration that a device receives. It is assembled automatically by NetDefense from the templates assigned to the device’s organizational units.

Understanding how the policy chain is built is key to designing effective security policies across your organization.

How the Policy Chain is Built

Collect — NetDefense gathers all snippets from every template assigned to every OU the device belongs to.
Deduplicate — If the same snippet appears in multiple templates (e.g., because two OUs share a template), it is included only once. If that snippet appears in both a PREPEND and an APPEND template, it is treated as PREPEND (the more restrictive position wins).
Sort by priority — All collected snippets are sorted by their absolute priority number (lowest first), regardless of which template they came from. Ties are broken alphabetically by snippet name.
Split by position — The sorted list is then split into two groups: PREPEND snippets and APPEND snippets.
Assemble — The final configuration is: all PREPEND snippets (in priority order) → device-local rules → all APPEND snippets (in priority order).

Key Insight: Snippets Are Interleaved by Priority, Not Grouped by Template

This means you can control the exact ordering of rules across templates simply by choosing the right priority numbers. A snippet with priority 25 in corporate-services would be inserted between rate-limit-icmp (20) and anti-spoofing (30), even though they come from different templates.

Worked Example: Production OU

The production OU has three PREPEND templates: base-hardening (priorities 10—50), corporate-services (priorities 100—210), and intrusion-prevention (priorities 500—520). The resulting PREPEND section is a single sorted sequence:

Priority 10   → drop-invalid-state      (from base-hardening)
Priority 20   → rate-limit-icmp         (from base-hardening)
Priority 30   → anti-spoofing           (from base-hardening)
Priority 40   → block-bogon-ranges      (from base-hardening)
Priority 50   → log-and-drop-default    (from base-hardening)
Priority 100  → allow-established       (from corporate-services)
Priority 150  → trusted-networks        (from corporate-services)
Priority 160  → dns-servers             (from corporate-services)
Priority 200  → allow-dns-ntp           (from corporate-services)
Priority 210  → allow-ldap-internal     (from corporate-services)
Priority 500  → geoip-filter            (from intrusion-prevention)
Priority 510  → port-scan-detect        (from intrusion-prevention)
Priority 520  → geoip-blocklist         (from intrusion-prevention)
  ↓
Device-local rules (if any)

All 13 snippets from three different templates are merged and sorted by priority into a single PREPEND block, followed by any device-local rules.

Worked Example: Guest Networks OU

The guest-networks OU has two PREPEND templates: base-hardening and guest-isolation. The device receives all 8 snippets sorted by priority as a single PREPEND block:

Priority 10   → drop-invalid-state      (from base-hardening)
Priority 20   → rate-limit-icmp         (from base-hardening)
Priority 30   → anti-spoofing           (from base-hardening)
Priority 40   → block-bogon-ranges      (from base-hardening)
Priority 50   → log-and-drop-default    (from base-hardening)
Priority 300  → guest-internet-only     (from guest-isolation)
Priority 310  → block-internal-nets     (from guest-isolation)
Priority 320  → guest-rate-limit        (from guest-isolation)
  ↓
Device-local rules (if any)

Notice how the guest isolation rules (300—320) slot in naturally after the base hardening rules (10—50) thanks to their higher priority numbers. The two templates share no snippets, so there is nothing to deduplicate — the result is simply a merged, priority-sorted list.