Best practices vary widely according to your existing environment and what, if any, other security controls and policies are in place in your organization. depending on your environment and location you may also have legal or regulatory requirements that should be implemented in your firewall policy.
It's safe to say though that you should at least be doing network discovery and have in place the basic balanced security IPS policy.
Anything allowed inbound from the Internet or less secure interfaces should not get full access to internal resources but to select resources placed in a DMZ.
Knowing more about your overall design and what you're trying to protect would help.