Using Continue rules with Sidewinder Proxies
When you use Continue rules to specify a default Protocol, including Sidewinder Proxies, rules later in the policy can override the defaults set in Continue rules.
These limitations are due to the way that rules are processed, and are not specific to Sidewinder Proxies.
- The rule matches the same source, destination, and service port as the Continue rule.
- The rule specifies a Protocol of the type Protocol Agent or Protocol Tag for the Service.
To avoid this limitation, do not add rules that specify a Protocol of the type Protocol Agent or Protocol Tag for the same matching criteria as the Continue rules for Sidewinder Proxies.
ID | Source | Destination | Service | Action |
---|---|---|---|---|
14.1 | Internal network | External | SSM HTTP on port 80 | Continue |
14.7 | Internal network | External | HTTP with Protocol Agent on port 80 | Allow |
In this example, the second rule overrides the defaults set in the Continue rule because it specifies a Protocol Agent for the same matching criteria as the Continue rule. HTTP traffic on port 80 from the internal network to external destinations matches the second rule. The traffic does not use the Sidewinder Proxy.
- The rule matches the same source, destination, and port as the Continue rule.
- The rule does not specify a Protocol of the type Protocol Agent or Protocol Tag for the Service.
For example, the rule specifies a Service element without a Protocol Agent or Protocol Tag.
ID | Source | Destination | Service | Action |
---|---|---|---|---|
14.1 | Internal network | External | SSM HTTP on port 80 | Continue |
14.7 | Internal network | External | HTTP on port 80 | Allow |
In this example, the second rule does not override the first because it specifies a Service element without a Protocol Agent or Protocol Tag. Because there is no more specific rule for the same matching criteria, the traffic uses the Sidewinder Proxy specified in the Continue rule.