I've recently gone through something similar.
It's quite hard to articulate all the considerations, but I'll try my best.
I found that creating inline layers was most helpful.
The logic was that I can frame the types of communications (both with ingress and egress):
- Between internal networks inside my DC.
- Between external networks and my internal networks.
So, i created an inline layer for incoming traffic for each subnet.
This way, I didn't need to address explicitly egress traffic from one internal network to another.
As for external networks, I've created an ingress and egress inline layers.
Usually, you'd have NAT facing external networks, which should receive traffic only from external networks.
So this NAT subnet is the ingress of course.
Each inline layer ended with an explicit "drop all" rule.
At first I've usually set it to allow all, so I won't cause any downtime by accident.
That was acceptable, because we had an explicit "allow all" rule...
Also, at the top of the policy, I've set a few global rules:
- Administrative access - not just to the FWs, but also for technicians and sysadmins (they were all inside specific administrative subnets).
That because they need access to many places around the network, and it would be ineffective to create a specific rule in each inline layer.
- DHCP rules (they need special attention as per some SK...)
- All the known drops that I need, e.g. multicast, igmp, etc.
- Probably a couple more rules which I can't remember now...
One last thing, we had remote braches networks.
I've decided to configure their policies with bare minimum rules.
Meaning, blocking east-west traffic inside the branch and allowing all traffic heading the DC (so the main FW handle it).
That way, I've made the branches FWs policies almost immutable.
So, in summary, this enabled me to contain the changes to specific networks each time.
That's one incoming inline layer per internal subnet, and 2 inline layers per external network (ingress+egress).
But be warned, it took up about 4-5 months for 2 policies with a total ~200 rules...
Although, I did gave it to a junior team member, so he also learned during the process...
Hope that helps.
Feel free to contact me if you have any questions.