Example: engine Access rule order
An example of how Access rule order affects traffic matching.
Company A has an office network, a DMZ for WWW servers, and a second DMZ for an FTP server. The administrators only need to add rules for the DMZ traffic.
The WWW servers must be accessible to anyone from both internal and external networks. HTTP traffic is inspected against the Inspection rules, excluding the administrators’ own PCs (on the right in the illustration) because they often test the servers for vulnerabilities. The FTP server is accessible to all users in the general office network, but only to certain external users (on the left) that authenticate using an external authentication server.
The administrators:
- Create Host elements for the WWW servers, the FTP server, and the administrators’ PCs.
- Create a Group element that contains the WWW server Host elements.
- Create a Group element that contains the administrator PCs’ Host elements.
- Configure an external authentication server for use with the Engine.
- Create User and User Group elements for the allowed external FTP users.
- Add IPv4 Access rules with the Allow action for access to the DMZs:
Source | Destination | Service | Authentication | Action |
---|---|---|---|---|
“Administrator PCs” Group | “WWW Servers” Group | “HTTP” Service | Allow (Deep Inspection Off) | |
ANY | “WWW Servers” Group | “HTTP” Service | Allow (Deep Inspection On) | |
Network element for Office Network | “FTP Server” Host | “FTP” Service | Allow (Deep Inspection Off) | |
ANY | “FTP Server” Host | “FTP” Service |
Users tab: “External Users” User Group Authentication Methods tab: A suitable authentication method |
Allow (Deep Inspection Off) |
- As seen in the rule table, there are two rules for traffic to both the WWW servers and the FTP server.
- The rules are arranged so that the more specific rules are above the more general rules.
For example, the rule allowing administrators to connect to the WWW servers without checking against the Inspection rules is above the more general rule. The general rule allows any connection to the servers as subject to the Inspection rules.
- If the first two rules were in the opposite order, the rule specific to administrators would never match, as the rule with the source as ANY would be applied first. The connection would be allowed according to that general rule, and the engine would stop checking the rule table.