Define Action options in Access rules

Action options define additional specific options for various features.

If no options are specified, the settings defined in Continue rules higher up in the policy are used.

  • Allow — You can define what traffic to allow through the Engine. Also, this option lets you configure the following:
    • Forward traffic to a proxy, a host, or into a VPN.
    • Force forward the matched traffic to a preferred destination.
    • Control stateful inspection by setting options for connection tracking, including idle timeouts and TCP segment size enforcement.
    • Enable or disable rate-based DoS protection and scan detection.
    • You can enable or disable deep inspection for the matched traffic against an Inspection Policy. This includes the following:
      • You can configure deep inspection and anti-malware options to check IPv4 traffics for malware.
      • By default, the deep inspection is enabled for all supported protocols with Continue rules if you use the IPS Template or Layer 2 Firewall Template as the base for a policy.
      • You can disable deep inspection for a specific rule.
        Note: If deep inspection is not disabled, make sure that the custom template policy directs all necessary protocols for inspection.
  • Continue — You can set the default options for multiple rules. Options specified in the Continue rule are applied to any other Access rule that the same packet matches. However, if the Access rules have rule-specific definitions, those will be used instead.
  • Discard — You can define a User Response to be shown to the user when an HTTP connection is discarded.
  • Refuse — You can define a User Response to be shown to the user when an HTTP connection is refused.
  • Jump — The rule processing jumps to a Sub-Policy to continue processing rules.
  • Apply Block list — You can configure options that affect the reception of block list entries.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Browse to Policies > <Policy type>.
  3. Right-click a policy, then select Edit <Policy name>.
  4. Right-click the Action cell in an Access rule, then select <Action>.
  5. Right-click the Action cell, then select Edit Options.
  6. Configure the settings, then click OK.
    Note: When editing an IPS Policy or Layer 2 Engine Policy, the number and names of the tabs in the dialog box might differ to what is referenced below.

Select Rule Action Options dialog box (Allow)

Use this dialog box to override and specify the options for the Allow action in the Engine Policy.

Option Definition
General tab
Forward Traffic To

(Engine/VPN role only)

 Select a Host or Proxy Server element to forward traffic to. Click Select to select an element.

There are similar restrictions than when configuring destination NAT rules. For example, if you forward to a host, the IP address range in the Destination field of the rule must be an equivalent size to the IP address range of the host.

If you forward traffic to a proxy or a host, the NAT rules are ignored. If you use NAT rules, you must configure forwarding in NAT rules rather than Access rules.
Forced Next Hop

(Engine/VPN role only)
Enter an IP Address or select a Host to force forward the matched traffic to the preferred destination. Click Select to select a host. The IP Address can be an IPv4 or IPv6.
Note:
  1. The best available route is automatically selected to forward the traffic to the specified destination.
  2. You cannot use the VPN and Forced Next Hop options together at the same time.
Option Definition
General tab
SD-WAN section
SD-WAN Action

(Engine/VPN role only)

 To forward traffic into a VPN, select from the following options:
  • No SD-WAN — No traffic is forwarded.
  • Apply SD-WANClick Select to select the VPN to use.

    Incoming connections: The traffic is allowed if it arrives through the specified VPN. Otherwise, the rule does not match and the matching process continues with the next rule.

    Outgoing connections: The traffic is sent through the specified VPN. If the connection is not allowed in the VPN configuration, it is discarded.

  • Enforce SD-WANClick Select to select the VPN to use.

    Incoming connections: The traffic is allowed if it arrives through the specified VPN. Otherwise, the connection is discarded.

    Outgoing connections: The traffic is sent through the specified VPN. If the connection is not allowed in the VPN configuration, it is discarded.

  • ForwardClick Select to select the VPN to use.

    VPN traffic: The engine forwards the traffic from one VPN to another. If the traffic is not allowed in the VPN configuration, it is discarded.

    Other traffic: The traffic is sent through the specified VPN. If the traffic is not allowed in the VPN configuration, it is discarded.

To apply the action to VPN client traffic in any mobile VPN, select Any Mobile VPN (IPv4 only).
Option Definition
General
Inspection Options
Deep Inspection Selects traffic that matches this rule for checking against the Inspection Policy referenced by this policy. Traffic is inspected as the Protocol that is attached to the Service element in this rule.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • On — The feature is enabled.
  • Off — The feature is disabled.
Network Application Latency Monitoring To decide whether to monitor network health and latency of connections and applications.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Default Monitoring — Engine performs discrete monitoring of network application connection quality metrics for the traffic that match this rule.
  • Allow Active Probing— Engine can actively probe application servers where applicable for increased visibility to the connection quality metrics for the traffic that match this rule.
  • Off— Application Health Monitoring is disabled.
File Filtering Selects traffic that matches this rule for checking against the File Filtering Policy referenced by this policy.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • On — The feature is enabled.
  • Off— The feature is disabled.
Anti-Spam The Anti-Spam feature is no longer supported in Secure SD-WAN version 6.2.0 and higher.
Decryption Defines whether traffic that matches the rule is decrypted for TLS inspection or by the SSM HTTP Proxy (Secure SD-WAN Engines in the Engine/VPN role only).
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Allowed — Traffic that matches the rule is decrypted.
  • Disallowed — Traffic that matches the rule is not decrypted.
Option Definition
General tab
Snort Options section
Snort Selects traffic that matches this rule for Snort inspection.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • On — The feature is enabled.
  • Off — The feature is disabled.
Option Definition
Advanced tab
Connection Options section
Connection Tracking Mode
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Off — Connection tracking is disabled. The Secure SD-WAN Engine operates as a simple packet filter and allows packets based on their source, destination, and port. You must add separate Access rules that explicitly allow the reply packets. NAT cannot be applied to traffic allowed without connection tracking.
    Note: Turn off logging in the rule if you disable connection tracking. When connection tracking is off, a log entry is generated for each packet, leading to considerable resource use on the Secure SD-WAN Engine, network, and Log Server.
  • Defined in Engine Properties — The Secure SD-WAN Engine allows or discards packets according to the connection tracking mode selected in the Secure SD-WAN Engine properties. Reply packets are allowed as part of the allowed connection without an explicit Access rule. On Engines, protocols that use a dynamic port assignment must be allowed using a Service with the appropriate Protocol Agent for that protocol (in Access rules and NAT rules).
  • Normal — (Default mode for Engines) Reply packets are allowed as part of the allowed connection without an explicit Access rule. The Secure SD-WAN Engine drops ICMP error messages related to connections that are not currently active in connection tracking (unless explicitly allowed by a rule in the policy). A valid, complete TCP handshake is required for TCP traffic. The Secure SD-WAN Engine checks the traffic direction and the port parameters of UDP traffic. If the Service cell in the rule contains a Service that uses a Protocol Agent, the Secure SD-WAN Engine also validates TCP and UDP traffic on the application layer. If a protocol violation occurs, the packet that violates the protocol is dropped.
  • Strict — Reply packets are allowed as part of the allowed connection without an explicit Access rule. The Secure SD-WAN Engine allows only TCP traffic that strictly adheres to the TCP standard as defined in RFC 793. The Secure SD-WAN Engine also checks the sequence numbers of the packets in pre-connection establishment states and for RST and FIN packets, and drops packets that are out of sequence. If the Service cell in the rule contains a Service that uses a Protocol Agent, the Secure SD-WAN Engine also validates the traffic on the application layer. If a protocol violation occurs, the packet that violates the protocol is dropped.
  • Loose — (Default mode for IPS engines and Layer 2 Engines) Reply packets are allowed as part of the allowed connection without an explicit Access rule. The Secure SD-WAN Engine allows some connection patterns and address translation operations that are not allowed in Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the Secure SD-WAN Engine to receive non-standard traffic patterns. Recommended when Secure SD-WAN Engines are configured by default to only log connections instead of terminating them.
Idle Timeout The timeout (in seconds) after which inactive connections are closed. This timeout concerns only idle connections. Connections are not cut because of timeouts while the hosts are still communicating.

If you enter a timeout, this value overrides the setting defined in the Secure SD-WAN Engine properties.

CAUTION:
Do not set long timeouts for many connections. Each connection that is kept active consumes resources on the Secure SD-WAN Engine. Setting excessive timeouts for many connections can lead to serious performance problems. Generally, the idle timeout is not more than a few minutes.
Synchronize Connections Defines whether connection information is synchronized between Secure SD-WAN Engine cluster nodes. Disabling connection synchronization reduces the traffic volume on the active heartbeat interface, but it also prevents transparent failover of connections to other nodes.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Defined in Engine Properties — The settings defined in the Secure SD-WAN Engine properties are used.
  • Off — The feature is disabled, overriding the setting defined in the Secure SD-WAN Engine properties.
Enforce TCP MSS

(IPv4 Only)

Defines whether TCP MSS is enforced. Headers are not included in the maximum segment size (MSS) value; MSS concerns only the payload of the packet. Usually, network equipment sends packets at the Ethernet-standard maximum transmission unit (MTU) size of 1500 (including both payload and headers).
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • On — You can enter the minimum and maximum values for the MSS.
If a TCP packet does not include an MSS value, the Secure SD-WAN Engine does not add the MSS value to the packet, but enforces the minimum MSS.
Minimum If a TCP packet has an MSS value smaller than the minimum you set here, the packet is dropped. The smaller the data content is, the less efficient the communications become due to the fixed-size headers. Limiting the minimum size can help alleviate certain types of network attacks. Typically, the value you enter is not larger than the default minimum TCP Maximum Segment Size (536).
Maximum If a TCP packet has an MSS value larger than the maximum, the Secure SD-WAN Engine overwrites the packet’s MSS with the maximum value you set here. Setting the maximum MSS size might be necessary to prevent fragmentation. Typically, the value you enter is lower than the standard Ethernet MTU (1500), taking the packet headers that are added to the MSS into account.
Option Definition
Advanced tab
DoS Protection Options section
Concurrent Connection Limit per Source IP and Concurrent Connection Limit per Destination IP

Enter the maximum number of open connections from or to each IP address at any one time.

These limits are enforced by rules that have their Action set to Allow or Continue, and when the SD-WAN Action in an Action option is Apply SD-WAN, Enforce SD-WAN, or Forward.

Be careful to apply the concurrent connection limits correctly for the types of communication that this rule handles to avoid cutting off connections unnecessarily.

Action The Action that is applied to new connections if the limit is reached.
  • Discard — The connection is dropped silently.
  • Refuse — The connection is closed, and an ICMP error message is returned.
Rate-Based DoS Protection Defines whether rate-based DoS protection is applied to traffic that matches the rule.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Defined in Engine Properties — The settings defined in the Secure SD-WAN Engine properties are used.
  • Off — The feature is disabled, overriding the setting defined in the Secure SD-WAN Engine properties.
You cannot use a rule to enable rate-based DoS protection if the feature is disabled in the Secure SD-WAN Engine properties.
Scan Detection Defines whether scan detection is applied to traffic that matches the rule.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Defined in Engine Properties — The settings defined in the Secure SD-WAN Engine properties are used.
  • Off — The feature is disabled, overriding the setting defined in the Secure SD-WAN Engine properties.
You cannot use a rule to enable scan detection if the feature is disabled in the Secure SD-WAN Engine properties.

Select Rule Action Options dialog box (Continue)

Use this dialog box to override and specify the options for the Continue action.

Option Definition
General tab
Forward Traffic To

(Engine/VPN role only)

 Select a Host or Proxy Server element to forward traffic to. Click Select to select an element.

There are similar restrictions than when configuring destination NAT rules. For example, if you forward to a host, the IP address range in the Destination field of the rule must be an equivalent size to the IP address range of the host.

If you forward traffic to a proxy or a host, the NAT rules are ignored. If you use NAT rules, you must configure forwarding in NAT rules rather than Access rules.
Option Definition
General tab
SD-WAN section
SD-WAN Action

(Engine/VPN role only)

 To forward traffic into a VPN, select from the following options:
  • No SD-WAN — No traffic is forwarded.
  • Apply SD-WANClick Select to select the VPN to use.

    Incoming connections: The traffic is allowed if it arrives through the specified VPN. Otherwise, the rule does not match and the matching process continues with the next rule.

    Outgoing connections: The traffic is sent through the specified VPN. If the connection is not allowed in the VPN configuration, it is discarded.

  • Enforce SD-WANClick Select to select the VPN to use.

    Incoming connections: The traffic is allowed if it arrives through the specified VPN. Otherwise, the connection is discarded.

    Outgoing connections: The traffic is sent through the specified VPN. If the connection is not allowed in the VPN configuration, it is discarded.

  • ForwardClick Select to select the VPN to use.

    VPN traffic: The engine forwards the traffic from one VPN to another. If the traffic is not allowed in the VPN configuration, it is discarded.

    Other traffic: The traffic is sent through the specified VPN. If the traffic is not allowed in the VPN configuration, it is discarded.

To apply the action to VPN client traffic in any mobile VPN, select Any Mobile VPN (IPv4 only).
Option Definition
General tab
Inspection Options section
Deep Inspection Selects traffic that matches this rule for checking against the Inspection Policy referenced by this policy. Traffic is inspected as the Protocol that is attached to the Service element in this rule.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • On — The feature is enabled.
  • Off — The feature is disabled.
File Filtering Selects traffic that matches this rule for checking against the File Filtering Policy referenced by this policy.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • On — The feature is enabled.
  • Off — The feature is disabled.
Anti-Spam The Anti-Spam feature is no longer supported in Secure SD-WAN version 6.2.0 and higher.
Decryption Defines whether traffic that matches the rule is decrypted for TLS inspection or by the SSM HTTP Proxy (Secure SD-WAN Engines in the Engine/VPN role only).
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Allowed — Traffic that matches the rule is decrypted.
  • Disallowed — Traffic that matches the rule is not decrypted.
Option Definition
General tab
Snort Options section
Snort Selects traffic that matches this rule for Snort inspection.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • On — The feature is enabled.
  • Off — The feature is disabled.
Option Definition
Advanced tab
Connection Options section
Connection Tracking Mode
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Off — Connection tracking is disabled. The Secure SD-WAN Engine operates as a simple packet filter and allows packets based on their source, destination, and port. You must add separate Access rules that explicitly allow the reply packets. NAT cannot be applied to traffic allowed without connection tracking.
    Note: Turn off logging in the rule if you disable connection tracking. When connection tracking is off, a log entry is generated for each packet, leading to considerable resource use on the Secure SD-WAN Engine, network, and Log Server.
  • Defined in Engine Properties — The Secure SD-WAN Engine allows or discards packets according to the connection tracking mode selected in the Secure SD-WAN Engine properties. Reply packets are allowed as part of the allowed connection without an explicit Access rule. On Engines, protocols that use a dynamic port assignment must be allowed using a Service with the appropriate Protocol Agent for that protocol (in Access rules and NAT rules).
  • Normal — (Default mode for Engines) Reply packets are allowed as part of the allowed connection without an explicit Access rule. The Secure SD-WAN Engine drops ICMP error messages related to connections that are not currently active in connection tracking (unless explicitly allowed by a rule in the policy). A valid, complete TCP handshake is required for TCP traffic. The Secure SD-WAN Engine checks the traffic direction and the port parameters of UDP traffic. If the Service cell in the rule contains a Service that uses a Protocol Agent, the Secure SD-WAN Engine also validates TCP and UDP traffic on the application layer. If a protocol violation occurs, the packet that violates the protocol is dropped.
  • Strict — Reply packets are allowed as part of the allowed connection without an explicit Access rule. The Secure SD-WAN Engine allows only TCP traffic that strictly adheres to the TCP standard as defined in RFC 793. The Secure SD-WAN Engine also checks the sequence numbers of the packets in pre-connection establishment states and for RST and FIN packets, and drops packets that are out of sequence. If the Service cell in the rule contains a Service that uses a Protocol Agent, the Secure SD-WAN Engine also validates the traffic on the application layer. If a protocol violation occurs, the packet that violates the protocol is dropped.
  • Loose — (Default mode for IPS engines and Layer 2 Engines) Reply packets are allowed as part of the allowed connection without an explicit Access rule. The Secure SD-WAN Engine allows some connection patterns and address translation operations that are not allowed in Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the Secure SD-WAN Engine to receive non-standard traffic patterns. Recommended when Secure SD-WAN Engines are configured by default to only log connections instead of terminating them.
Idle Timeout The timeout (in seconds) after which inactive connections are closed. This timeout concerns only idle connections. Connections are not cut because of timeouts while the hosts are still communicating.

If you enter a timeout, this value overrides the setting defined in the Secure SD-WAN Engine properties.

CAUTION:
Do not set long timeouts for many connections. Each connection that is kept active consumes resources on the Secure SD-WAN Engine. Setting excessive timeouts for many connections can lead to serious performance problems. Generally, the idle timeout is not more than a few minutes.
Synchronize Connections Defines whether connection information is synchronized between Secure SD-WAN Engine cluster nodes. Disabling connection synchronization reduces the traffic volume on the active heartbeat interface, but it also prevents transparent failover of connections to other nodes.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Defined in Engine Properties — The settings defined in the Secure SD-WAN Engine properties are used.
  • Off — The feature is disabled, overriding the setting defined in the Secure SD-WAN Engine properties.
Enforce TCP MSS

(IPv4 Only)

Defines whether TCP MSS is enforced. Headers are not included in the maximum segment size (MSS) value; MSS concerns only the payload of the packet. Usually, network equipment sends packets at the Ethernet-standard maximum transmission unit (MTU) size of 1500 (including both payload and headers).
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • On — You can enter the minimum and maximum values for the MSS.
If a TCP packet does not include an MSS value, the Secure SD-WAN Engine does not add the MSS value to the packet, but enforces the minimum MSS.
Minimum If a TCP packet has an MSS value smaller than the minimum you set here, the packet is dropped. The smaller the data content is, the less efficient the communications become due to the fixed-size headers. Limiting the minimum size can help alleviate certain types of network attacks. Typically, the value you enter is not larger than the default minimum TCP Maximum Segment Size (536).
Maximum If a TCP packet has an MSS value larger than the maximum, the Secure SD-WAN Engine overwrites the packet’s MSS with the maximum value you set here. Setting the maximum MSS size might be necessary to prevent fragmentation. Typically, the value you enter is lower than the standard Ethernet MTU (1500), taking the packet headers that are added to the MSS into account.
Option Definition
Advanced tab
DoS Protection Options section
Concurrent Connection Limit per Source IP and Concurrent Connection Limit per Destination IP

Enter the maximum number of open connections from or to each IP address at any one time.

These limits are enforced by rules that have their Action set to Allow or Continue, and when the SD-WAN Action in an Action option is Apply SD-WAN, Enforce SD-WAN, or Forward.

Be careful to apply the concurrent connection limits correctly for the types of communication that this rule handles to avoid cutting off connections unnecessarily.

Action The Action that is applied to new connections if the limit is reached.
  • Discard — The connection is dropped silently.
  • Refuse — The connection is closed, and an ICMP error message is returned.
Rate-Based DoS Protection Defines whether rate-based DoS protection is applied to traffic that matches the rule.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Defined in Engine Properties — The settings defined in the Secure SD-WAN Engine properties are used.
  • Off — The feature is disabled, overriding the setting defined in the Secure SD-WAN Engine properties.
You cannot use a rule to enable rate-based DoS protection if the feature is disabled in the Secure SD-WAN Engine properties.
Scan Detection Defines whether scan detection is applied to traffic that matches the rule.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Defined in Engine Properties — The settings defined in the Secure SD-WAN Engine properties are used.
  • Off — The feature is disabled, overriding the setting defined in the Secure SD-WAN Engine properties.
You cannot use a rule to enable scan detection if the feature is disabled in the Secure SD-WAN Engine properties.
Option Definition
Response tab
Override Settings Inherited from Continue Rule(s) When selected, overrides settings defined in Continue rules higher up in the policy.
User Response

(HTTP only)

Specifies the automatic response that is shown to the end user when a connection is discarded.

Click Select to select an element. You can use the default response or create a custom response.

User Responses are not supported on Virtual Secure SD-WAN Engines.

Select Rule Action Options dialog box (Discard or Refuse)

Use this dialog box to override and specify the options for the Discard or Refuse action.

Option Definition
Advanced tab
Scan Detection Defines whether scan detection is applied to traffic that matches the rule.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Defined in Engine Properties — The settings defined in the Secure SD-WAN Engine properties are used.
  • Off — The feature is disabled, overriding the setting defined in the Secure SD-WAN Engine properties.
You cannot use a rule to enable scan detection if the feature is disabled in the Secure SD-WAN Engine properties.
Option Definition
Response tab
Override Settings Inherited from Continue Rule(s) When selected, overrides settings defined in Continue rules higher up in the policy.
User Response

(HTTP only)

Specifies the automatic response that is shown to the end user when a connection is discarded.

Click Select to select an element. You can use the default response or create a custom response.

User Responses are not supported on Virtual Secure SD-WAN Engines.

Select Rule Action Options dialog box (Jump)

Use this dialog box to override and specify the options for the Jump action.

Option Definition
General tab
Forward Traffic To

(Engine/VPN role only)

 Select a Host or Proxy Server element to forward traffic to. Click Select to select an element.

There are similar restrictions than when configuring destination NAT rules. For example, if you forward to a host, the IP address range in the Destination field of the rule must be an equivalent size to the IP address range of the host.

If you forward traffic to a proxy or a host, the NAT rules are ignored. If you use NAT rules, you must configure forwarding in NAT rules rather than Access rules.
Option Definition
General tab
SD-WAN section
SD-WAN Action

(Engine/VPN role only)

 To forward traffic into a VPN, select from the following options:
  • No SD-WAN — No traffic is forwarded.
  • Apply SD-WANClick Select to select the VPN to use.

    Incoming connections: The traffic is allowed if it arrives through the specified VPN. Otherwise, the rule does not match and the matching process continues with the next rule.

    Outgoing connections: The traffic is sent through the specified VPN. If the connection is not allowed in the VPN configuration, it is discarded.

  • Enforce SD-WANClick Select to select the VPN to use.

    Incoming connections: The traffic is allowed if it arrives through the specified VPN. Otherwise, the connection is discarded.

    Outgoing connections: The traffic is sent through the specified VPN. If the connection is not allowed in the VPN configuration, it is discarded.

  • ForwardClick Select to select the VPN to use.

    VPN traffic: The engine forwards the traffic from one VPN to another. If the traffic is not allowed in the VPN configuration, it is discarded.

    Other traffic: The traffic is sent through the specified VPN. If the traffic is not allowed in the VPN configuration, it is discarded.

To apply the action to VPN client traffic in any mobile VPN, select Any Mobile VPN (IPv4 only).
Option Definition
General tab
Inspection Options section
Deep Inspection Selects traffic that matches this rule for checking against the Inspection Policy referenced by this policy. Traffic is inspected as the Protocol that is attached to the Service element in this rule.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • On — The feature is enabled.
  • Off — The feature is disabled.
File Filtering Selects traffic that matches this rule for checking against the File Filtering Policy referenced by this policy.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • On — The feature is enabled.
  • Off — The feature is disabled.
Anti-Spam The Anti-Spam feature is no longer supported in Secure SD-WAN version 6.2.0 and higher.
Decryption Defines whether traffic that matches the rule is decrypted for TLS inspection or by the SSM HTTP Proxy (Secure SD-WAN Engines in the Engine/VPN role only).
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Allowed — Traffic that matches the rule is decrypted.
  • Disallowed — Traffic that matches the rule is not decrypted.
Option Definition
Advanced tab
Connection Options section
Connection Tracking Mode
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Off — Connection tracking is disabled. The Secure SD-WAN Engine operates as a simple packet filter and allows packets based on their source, destination, and port. You must add separate Access rules that explicitly allow the reply packets. NAT cannot be applied to traffic allowed without connection tracking.
    Note: Turn off logging in the rule if you disable connection tracking. When connection tracking is off, a log entry is generated for each packet, leading to considerable resource use on the Secure SD-WAN Engine, network, and Log Server.
  • Defined in Engine Properties — The Secure SD-WAN Engine allows or discards packets according to the connection tracking mode selected in the Secure SD-WAN Engine properties. Reply packets are allowed as part of the allowed connection without an explicit Access rule. On Engines, protocols that use a dynamic port assignment must be allowed using a Service with the appropriate Protocol Agent for that protocol (in Access rules and NAT rules).
  • Normal — (Default mode for Engines) Reply packets are allowed as part of the allowed connection without an explicit Access rule. The Secure SD-WAN Engine drops ICMP error messages related to connections that are not currently active in connection tracking (unless explicitly allowed by a rule in the policy). A valid, complete TCP handshake is required for TCP traffic. The Secure SD-WAN Engine checks the traffic direction and the port parameters of UDP traffic. If the Service cell in the rule contains a Service that uses a Protocol Agent, the Secure SD-WAN Engine also validates TCP and UDP traffic on the application layer. If a protocol violation occurs, the packet that violates the protocol is dropped.
  • Strict — Reply packets are allowed as part of the allowed connection without an explicit Access rule. The Secure SD-WAN Engine allows only TCP traffic that strictly adheres to the TCP standard as defined in RFC 793. The Secure SD-WAN Engine also checks the sequence numbers of the packets in pre-connection establishment states and for RST and FIN packets, and drops packets that are out of sequence. If the Service cell in the rule contains a Service that uses a Protocol Agent, the Secure SD-WAN Engine also validates the traffic on the application layer. If a protocol violation occurs, the packet that violates the protocol is dropped.
  • Loose — (Default mode for IPS engines and Layer 2 Engines) Reply packets are allowed as part of the allowed connection without an explicit Access rule. The Secure SD-WAN Engine allows some connection patterns and address translation operations that are not allowed in Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the Secure SD-WAN Engine to receive non-standard traffic patterns. Recommended when Secure SD-WAN Engines are configured by default to only log connections instead of terminating them.
Idle Timeout The timeout (in seconds) after which inactive connections are closed. This timeout concerns only idle connections. Connections are not cut because of timeouts while the hosts are still communicating.

If you enter a timeout, this value overrides the setting defined in the Secure SD-WAN Engine properties.

CAUTION:
Do not set long timeouts for many connections. Each connection that is kept active consumes resources on the Secure SD-WAN Engine. Setting excessive timeouts for many connections can lead to serious performance problems. Generally, the idle timeout is not more than a few minutes.
Synchronize Connections Defines whether connection information is synchronized between Secure SD-WAN Engine cluster nodes. Disabling connection synchronization reduces the traffic volume on the active heartbeat interface, but it also prevents transparent failover of connections to other nodes.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Defined in Engine Properties — The settings defined in the Secure SD-WAN Engine properties are used.
  • Off — The feature is disabled, overriding the setting defined in the Secure SD-WAN Engine properties.
Enforce TCP MSS

(IPv4 Only)

Defines whether TCP MSS is enforced. Headers are not included in the maximum segment size (MSS) value; MSS concerns only the payload of the packet. Usually, network equipment sends packets at the Ethernet-standard maximum transmission unit (MTU) size of 1500 (including both payload and headers).
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • On — You can enter the minimum and maximum values for the MSS.
If a TCP packet does not include an MSS value, the Secure SD-WAN Engine does not add the MSS value to the packet, but enforces the minimum MSS.
Minimum If a TCP packet has an MSS value smaller than the minimum you set here, the packet is dropped. The smaller the data content is, the less efficient the communications become due to the fixed-size headers. Limiting the minimum size can help alleviate certain types of network attacks. Typically, the value you enter is not larger than the default minimum TCP Maximum Segment Size (536).
Maximum If a TCP packet has an MSS value larger than the maximum, the Secure SD-WAN Engine overwrites the packet’s MSS with the maximum value you set here. Setting the maximum MSS size might be necessary to prevent fragmentation. Typically, the value you enter is lower than the standard Ethernet MTU (1500), taking the packet headers that are added to the MSS into account.
Option Definition
Advanced tab
DoS Protection Options section
Concurrent Connection Limit per Source IP and Concurrent Connection Limit per Destination IP

Enter the maximum number of open connections from or to each IP address at any one time.

These limits are enforced by rules that have their Action set to Allow or Continue, and when the SD-WAN Action in an Action option is Apply SD-WAN, Enforce SD-WAN, or Forward.

Be careful to apply the concurrent connection limits correctly for the types of communication that this rule handles to avoid cutting off connections unnecessarily.

Action The Action that is applied to new connections if the limit is reached.
  • Discard — The connection is dropped silently.
  • Refuse — The connection is closed, and an ICMP error message is returned.
Rate-Based DoS Protection Defines whether rate-based DoS protection is applied to traffic that matches the rule.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Defined in Engine Properties — The settings defined in the Secure SD-WAN Engine properties are used.
  • Off — The feature is disabled, overriding the setting defined in the Secure SD-WAN Engine properties.
You cannot use a rule to enable rate-based DoS protection if the feature is disabled in the Secure SD-WAN Engine properties.
Scan Detection Defines whether scan detection is applied to traffic that matches the rule.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Defined in Engine Properties — The settings defined in the Secure SD-WAN Engine properties are used.
  • Off — The feature is disabled, overriding the setting defined in the Secure SD-WAN Engine properties.
You cannot use a rule to enable scan detection if the feature is disabled in the Secure SD-WAN Engine properties.
Option Definition
Jump tab
Sub-Policy Select a Sub-Policy. Connections that match the Jump rule are matched against the selected Sub-Policy. If the Sub-Policy rules do not match, processing continues with the next rule in the main policy.

Click Select to select an element.

Select Rule Action Options dialog box (Apply Block list)

Use this dialog box to override and specify the options for the Apply Block list action.

Option Definition
Advanced tab
Scan Detection Defines whether scan detection is applied to traffic that matches the rule.
  • Inherited from Continue Rule(s) — The settings defined in Continue rules higher up in the policy are used.
  • Defined in Engine Properties — The settings defined in the Secure SD-WAN Engine properties are used.
  • Off — The feature is disabled, overriding the setting defined in the Secure SD-WAN Engine properties.
You cannot use a rule to enable scan detection if the feature is disabled in the Secure SD-WAN Engine properties.
Option Definition
Block listing tab
Allowed Block listers for This Rule
  • Any — Block list entries are accepted from all components.
  • Restricted — Block list entries are only accepted from the components you specify (and from the command line).

Secure SD-WAN Engines are always allowed to add entries to their own block lists.

Available Block listers Elements that you can add to the Allowed Block listers list.
Allowed Block listers

The elements that are allowed to add block list entries. Click Add to add an element to the list, or Remove to remove the selected element.

Add the Management Server to allow manual block listing through the Management Client. Add the Log Server to allow it to relay block listing requests from other Secure SD-WAN Engines.

Option Definition
Response tab
Override Settings Inherited from Continue Rule(s) When selected, overrides settings defined in Continue rules higher up in the policy.
User Response

(HTTP only)

Specifies the automatic response that is shown to the end user when a connection is discarded.

Click Select to select an element. You can use the default response or create a custom response.

User Responses are not supported on Virtual Secure SD-WAN Engines.