How Access rules match traffic
Access rules match traffic based on the Source, Destination, and Service cells. You can also specify other optional matching criteria.
The Source and Destination cells specify the IP addresses that are compared to the IP addresses in each packet’s header. Based on these and other criteria, the rule is applied to matching packets.
The Service cell defines which protocols the Access rule applies to. The Service also determines the applications protocol used in the Inspection Policy for matching traffic (the protocol that is detected and selected for traffic by an Access rule is a matching criteria in the Inspection Policy). By default, the Service is set to <None>, and you must change the value to make the rule valid.
In addition to more specific matching criteria, the matching cells can be set to two more settings:
- ANY (available by right-clicking in a cell and selecting Set to ANY) matches all valid values for the cell, for example, all IPv4 addresses.
- NONE is the default value for mandatory traffic matching cells that have no matching criteria in them. As long as any cell in a rule contains NONE, the whole rule is invalid and is ignored.
Using Zones in the Destination cell of Access rules
Due to the processing order of Access and NAT rules, the interface through which the packet will be sent out is not yet determined when Access and NAT rules are processed. During the matching against Access and NAT rules, the destination Zone is matched based on the current routing decision for the packet. NAT and VPN operations can change the route that is used when the packet is sent out. Because of this possibility, the packet is checked against the Access rules again before being forwarded. If the changed destination Zone still matches, traffic is processed according to the original rule. If the changed destination Zone does not match the Access rule, the traffic is discarded. Carefully consider how the rules will be applied when using Zones in the Destination Cell of Access rules when NAT and VPN operations can change the routing decision.
To define how an Access rule matches traffic, fill in the cells with elements.