Edit the Access policy

• Type part of the name of an element or browse through the drop-down list to select an element.
• Click Set to ANY to match any element.

• Type part of the name of an element or browse through the drop-down list to select an element.
• Click Set to ANY to match any element.

• Logging — When selected, enables logging for the rule.
• Log Level — Defines the log level for matching connections.
  • None — Does not create any log entry
  • Transient — Creates a log entry that is shown on the Logs tab, but is not stored.
  • Stored — Creates a log entry that is stored on the NGFW Engine.
  • Essential — Creates a log entry that is shown on the Logs tab and saved for further use.
  • Alert — Triggers an alert with the severity that you define.
  • Automatic — This option is not supported in the Access policy.
• Severity — When the Log Level is set to Alert, defines the severity of the alert.
• Advanced Options — Allows you to define advanced logging options.

• Allow — Allows connections that match the rule.
• Discard — Discards connections that match the rule.
• Continue — Sets default options for traffic matching. The options are used for later rules that match the same criteria unless the later rules override the options.
• Refuse — Refuses connections that match the rule.
• Jump — The rule processing jumps to a Sub-Policy to continue processing rules.
• Use VPN — Connections that match the rule are sent into the specified VPN.
• Decryption — This option is not yet supported.
• Advanced Options — Allows you to define advanced action options.

• None — No log entries are created.
• Normal — Both connection opening and closing are logged, but no information about the volume of traffic is collected.
• Accounting — Both connection opening and closing are logged and information about the volume of traffic is collected.

When enabled, generated entries are not logged and shown separately when the limits defined in the Max Log Rate or Max Burst Size are reached. Instead, the NGFW Engine creates a single log entry that contains information about the total number of the generated log entries. After the single log entry is created, logging returns to normal and all generated entries are logged and shown separately.

Log compression settings in access rules override the default log compression settings defined for the interface and the default log compression settings defined for the NGFW Engine.

• NOT SET — Settings inherited from earlier access rules with the Continue action are used.
• No Compression — Log compression is disabled.
• Access — Only logs generated by access rules are compressed.
• Inspection — Logs generated by both access rules and inspection rules are compressed.

When log compression is enabled, the following additional options are available:

• Max Log Rate — The maximum sustained number of log entries per second. The default value is 100 log entries per second.
• Max Burst Size — The maximum number of log entries in a single burst. The default value is 1000 log entries.

• Off — Information about users is not included in the log data.
• Default — Information about users is included in the log data if information about the user is cached for the connection. Otherwise, only the IP address associated with the user at the time the log is created is included in the log data. Access control by user must be enabled.
• Enforced — Information about users is always included in the log data if information about the user is available in the user database. If information about the user is not cached for the connection, the NGFW Engine resolves the user information from the IP address. Access control by user must be enabled.

• Off — Information about Application detection is not included in the log data.
• Default — Information about Application detection is included in the log data if the information is available without additional inspection.
• Enforced — Information about Application detection is always included in the log data if the Application can be identified.

• Off — URL categories are not included in the log data.
• Default — URL categories are included in the log data for matching traffic when URL Categories are used as matching criteria in the rule.
• Enforced — URL categories are always included in the log data if the URL category can be identified.

• On — The feature is enabled.
• Off — The feature is disabled.

• Off — The feature is disabled.
• Default — The settings defined in the NGFW Engine properties are used.
• Loose — Reply packets are allowed as part of the allowed connection without an explicit Access rule. The NGFW Engine allows some connection patterns and address translation operations that are not allowed in Normal mode.
• Normal — Reply packets are allowed as part of the allowed connection without an explicit Access rule. The NGFW Engine drops ICMP error messages related to connections that are not currently active in connection tracking (unless explicitly allowed by a rule in the policy). A valid, complete TCP handshake is required for TCP traffic. The NGFW Engine checks the traffic direction and the port parameters of UDP traffic. If the Service cell in the rule contains a Service that uses a Protocol Agent, the NGFW Engine also validates TCP and UDP traffic on the application layer. If a protocol violation occurs, the packet that violates the protocol is dropped.
• Strict — Reply packets are allowed as part of the allowed connection without an explicit Access rule. The NGFW Engine allows only TCP traffic that strictly adheres to the TCP standard as defined in RFC 793. The NGFW Engine also checks the sequence numbers of the packets in pre-connection establishment states and for RST and FIN packets, and drops packets that are out of sequence. If the Service cell in the rule contains a Service that uses a Protocol Agent, the NGFW Engine also validates the traffic on the application layer. If a protocol violation occurs, the packet that violates the protocol is dropped.

The timeout (in seconds) after which inactive connections are closed. This timeout concerns only idle connections. Connections are not cut because of timeouts while the hosts are still communicating.

If you enter a timeout, this value overrides the setting defined in the NGFW Engine properties.

• Min — If a TCP packet has an MSS value smaller than the minimum you set here, the packet is dropped. The smaller the data content is, the less efficient the communications become due to the fixed-size headers. Limiting the minimum size can help alleviate certain types of network attacks. Typically, the value you enter is not larger than the default minimum TCP Maximum Segment Size (536).
• Max — If a TCP packet has an MSS value larger than the maximum, the NGFW Engine overwrites the packet’s MSS with the maximum value you set here. Setting the maximum MSS size might be necessary to prevent fragmentation. Typically, the value you enter is lower than the standard Ethernet MTU (1500), taking the packet headers that are added to the MSS into account.

When enabled, allows you define a forced next hop in the routing for traffic that matches the rule.

• NOT SET — Settings inherited from earlier access rules with the Continue action are used.
• Nexthop Zone — Traffic is routed through the specified zone before being sent to its destination.
• IP Address — Traffic is routed through the specified IP address before being sent to its destination.

When Forced Next Hop Destination is Nexthop Zone

Select the Zone element through which traffic is routed before being sent to its destination. The traffic is sent out through the interface that is associated with the selected Zone element.

When Forced Next Hop Destination is IP Address

Enter the IP address to which traffic is routed. If the rule matches both IPv4 and IPv6 addresses, you can enter both an IPv4 and an IPv6 address.