Firewall Schemes at Different Layers

This is a network defense design scheme question.

In a scenario where your organization is designing multi-layered firewall deployment and management, how granular do you create rules at each of these three layers?

Example site is a main/HQ site that also houses your data center (basic 3 tier model).

1. Site has your main internet gateway and VPN termination point. As am example, it’s a Cisco or other ZBF. It has four zones: (1) Internet, (2) VPNs from other sites/clients, (3) your corporate LAN including data center, (4) Guest/untrusted/Iot.
2. Between your gateway and the rest of your corporate network/datacenter, you have transparent proxy firewall/IPS/monitor. It’s bridging traffic between gateway and data center.
3. Within data center, hosts have software host based firewalls, all centrally managed by management product.

Questions:

• How granular do you make ZBF policies at gateway? Limit it to broad zones, subnets, etc? Get granular by source/destination? Further granular by source/destination/port?
• How granular do you make rules for transparent proxies between segments? Src/dst? Src/dst/port?
• How granular do you make rules for host based firewalls? Src/dst? Src/dst/port? Src/dst/port/application/executable?
• How have organizations you’ve worked for implemented these strategies?
• Were they manageable vs effective?
• Did the organization detect/prevent lateral movement if any unauthorized access happened?
• What would you change about your organization’s firewall related designs?