Access rule matching based on the payload of connections

When you use some types of Service elements in Access rules, the Engine can only determine whether the connection matches a rule when the payload of the packets is checked against the Access rules.

When you use elements such as Network Applications, URL Categories, or URL List Applications in the Service field of an Access rule, matching is based on the payload of the packets. When the first SYN packet of a new connection is processed, the Engine cannot determine whether the connection matches the Access rule. The Engine can only determine whether the connection matches the Access rule when the Engine processes, for example an HTTP request in an HTTP connection.

The Engine checks traffic against the Access rules from the top down. Matching criteria that do not depend on the payload of the connection, such as the source and destination IP address and port, are always evaluated first. If a connection might still match another rule that allows traffic, the connection is considered potentially allowed. When enough of the payload has been processed, the number of rules that could potentially allow the connection gets smaller.

When traffic matches a rule that tells the Engine to allow or discard the packet, the Engine stops checking traffic against the Access rules. Because the first matching rule defines how the first packet is forwarded, connections might not match the intended rule.

Application routing

You must use network applications that have the Application Routing tag because the routing decision is made based on the application that is detected in the traffic. For other network applications, if the network application cannot immediately be identified, the routing decision is made according to the first rule that could potentially allow the connection.

Routing decisions are delayed until enough of the payload has been processed to identify the network application. If you use features that are not compatible with delaying the decision, use more specific source and destination criteria in the rules, or change the rule order.

If a rule that could potentially allow the connection activates a feature that is not compatible with delaying the routing decision, the decision is made according to the first rule that could potentially allow the connection.

Important: After the routing decision has been made, the Engine might later identify a different application in the connection. If the application that is detected would cause a different routing decision to be made, the connection might be discarded.

Snort inspection

We do not recommend using services that match based on the payload of connections, such as Network Applications, URL Categories, or URL List Applications, in Access rules that select traffic for Snort inspection. At the beginning of a connection, the Engine cannot determine whether the traffic should be selected for Snort inspection. The Engine selects all potentially matching traffic for Snort inspection. As a result, Snort inspection might be applied to traffic that was not intended to be selected for Snort inspection. Applying Snort inspection to this traffic can create false positive Snort rule matches.