Define Action options in Access rules
Action options define additional specific options for various features.
If no options are specified, the settings defined in Continue rules higher up in the policy are used.
- Allow — You can:
- Forward traffic to a proxy, a host, or into a VPN.
- Control stateful inspection by setting options for connection tracking, including idle timeouts and TCP segment size enforcement.
- Enable or disable rate-based DoS protection and scan detection.
- (License permitting) Enable deep inspection to match traffic against an Inspection Policy. You can check IPv4 traffic for malware by setting deep inspection and anti-malware options. If you use the IPS Template or the Layer 2 Firewall Template as the basis for your policy, deep inspection is enabled by default for all supported protocols (with Continue rules). Deep inspection can be disabled for a specific rule if necessary. Otherwise, make sure that your custom template policy directs all necessary Protocols to be inspected.
- Continue — You can set the default options for multiple rules. Options specified in the Continue rule are applied to any other Access rule that the same packet matches. However, if the Access rules have rule-specific definitions, those will be used instead.
- Discard — You can define a User Response to be shown to the user when an HTTP connection is discarded.
- Refuse — You can define a User Response to be shown to the user when an HTTP connection is refused.
- Jump — The rule processing jumps to a Sub-Policy to continue processing rules.
- Apply Blacklist — You can configure options that affect the reception of blacklist entries.
For more details about the product and how to configure features, click Help or press F1.
Steps
Select Rule Action Options dialog box (Allow)
Use this dialog box to override and specify the options for the Allow action in the Firewall Policy.
Option | Definition |
---|---|
General tab | |
Forward Traffic To (Firewall/VPN role only) |
Select a Host or Proxy Server element to forward traffic to. Click Select to select an element.
There are similar restrictions than when configuring destination NAT rules. For example, if you forward to a host, the IP address range in the Destination field of the rule must be an equivalent size to the IP address range of the host. If you forward traffic to a proxy or a host, the NAT rules are ignored. If you use NAT rules, you must configure forwarding in NAT rules rather than Access rules. |
Option | Definition |
---|---|
General tab | |
VPN section | |
VPN Action (Firewall/VPN role only) |
To forward traffic into a VPN, select from the following options:
To apply the action to VPN client traffic in any mobile VPN, select Any Mobile VPN (IPv4 only). |
Option | Definition |
---|---|
General tab | |
Inspection Options section | |
Deep Inspection | Selects traffic that matches this rule for checking against the Inspection Policy referenced by this policy. Traffic is inspected as the Protocol that is attached to the Service
element in this rule.
|
File Filtering | Selects traffic that matches this rule for checking against the File Filtering Policy referenced by this policy.
|
Anti-Spam | The Anti-Spam feature is no longer supported in Engine version 6.2.0 and higher. |
Decryption | Defines whether traffic that matches the rule is decrypted for TLS inspection or by the SSM HTTP Proxy (Engines in the Firewall/VPN role only).
|
Option | Definition |
---|---|
General tab | |
Snort Options section | |
Snort | Selects traffic that matches this rule for Snort
inspection.
|
Option | Definition |
---|---|
Advanced tab | |
Connection Options section | |
Connection Tracking Mode |
|
Idle Timeout | The timeout (in seconds) after which inactive connections are closed. This timeout concerns only idle connections. Connections are not cut because of timeouts while the hosts are
still communicating. If you enter a timeout, this value overrides the setting defined in the Engine properties. CAUTION: Do not set long timeouts for many connections.
Each connection that is kept active consumes resources on the Engine. Setting excessive timeouts for many connections can lead to serious performance problems. Generally, the idle
timeout is not more than a few minutes.
|
Synchronize Connections | Defines whether connection information is synchronized between Engine cluster nodes. Disabling connection synchronization reduces the traffic volume on the active heartbeat
interface, but it also prevents transparent failover of connections to other nodes.
|
Enforce TCP MSS
(IPv4 Only) |
Defines whether TCP MSS is enforced. Headers are not included in the maximum segment size (MSS) value; MSS concerns only the payload of the packet. Usually, network equipment sends
packets at the Ethernet-standard maximum transmission unit (MTU) size of 1500 (including both payload and headers).
|
Minimum | If a TCP packet has an MSS value smaller than the minimum you set here, the packet is dropped. The smaller the data content is, the less efficient the communications become due to the fixed-size headers. Limiting the minimum size can help alleviate certain types of network attacks. Typically, the value you enter is not larger than the default minimum TCP Maximum Segment Size (536). |
Maximum | If a TCP packet has an MSS value larger than the maximum, the Engine overwrites the packet’s MSS with the maximum value you set here. Setting the maximum MSS size might be necessary to prevent fragmentation. Typically, the value you enter is lower than the standard Ethernet MTU (1500), taking the packet headers that are added to the MSS into account. |
Option | Definition |
---|---|
Advanced tab | |
DoS Protection Options section | |
Concurrent Connection Limit per Source IP and Concurrent Connection Limit per Destination IP |
Enter the maximum number of open connections from or to each IP address at any one time. These limits are enforced by rules that have their Action set to Allow or Continue, and when the VPN Action in an Action option is Apply VPN, Enforce VPN, or Forward. Be careful to apply the concurrent connection limits correctly for the types of communication that this rule handles to avoid cutting off connections unnecessarily. |
Action | The Action that is applied to new connections if the limit is reached.
|
Rate-Based DoS Protection | Defines whether rate-based DoS protection is applied to traffic that matches the rule.
|
Scan Detection | Defines whether scan detection is applied to traffic that matches the rule.
|
Select Rule Action Options dialog box (Continue)
Use this dialog box to override and specify the options for the Continue action.
Option | Definition |
---|---|
General tab | |
Forward Traffic To (Firewall/VPN role only) |
Select a Host or Proxy Server element to forward traffic to. Click Select to select an element.
There are similar restrictions than when configuring destination NAT rules. For example, if you forward to a host, the IP address range in the Destination field of the rule must be an equivalent size to the IP address range of the host. If you forward traffic to a proxy or a host, the NAT rules are ignored. If you use NAT rules, you must configure forwarding in NAT rules rather than Access rules. |
Option | Definition |
---|---|
General tab | |
VPN section | |
VPN Action (Firewall/VPN role only) |
To forward traffic into a VPN, select from the following options:
To apply the action to VPN client traffic in any mobile VPN, select Any Mobile VPN (IPv4 only). |
Option | Definition |
---|---|
General tab | |
Inspection Options section | |
Deep Inspection | Selects traffic that matches this rule for checking against the Inspection Policy referenced by this policy. Traffic is inspected as the Protocol that is attached to the Service
element in this rule.
|
File Filtering | Selects traffic that matches this rule for checking against the File Filtering Policy referenced by this policy.
|
Anti-Spam | The Anti-Spam feature is no longer supported in Engine version 6.2.0 and higher. |
Decryption | Defines whether traffic that matches the rule is decrypted for TLS inspection or by the SSM HTTP Proxy (Engines in the Firewall/VPN role only).
|
Option | Definition |
---|---|
General tab | |
Snort Options section | |
Snort | Selects traffic that matches this rule for Snort
inspection.
|
Option | Definition |
---|---|
Advanced tab | |
Connection Options section | |
Connection Tracking Mode |
|
Idle Timeout | The timeout (in seconds) after which inactive connections are closed. This timeout concerns only idle connections. Connections are not cut because of timeouts while the hosts are
still communicating. If you enter a timeout, this value overrides the setting defined in the Engine properties. CAUTION: Do not set long timeouts for many connections.
Each connection that is kept active consumes resources on the Engine. Setting excessive timeouts for many connections can lead to serious performance problems. Generally, the idle
timeout is not more than a few minutes.
|
Synchronize Connections | Defines whether connection information is synchronized between Engine cluster nodes. Disabling connection synchronization reduces the traffic volume on the active heartbeat
interface, but it also prevents transparent failover of connections to other nodes.
|
Enforce TCP MSS
(IPv4 Only) |
Defines whether TCP MSS is enforced. Headers are not included in the maximum segment size (MSS) value; MSS concerns only the payload of the packet. Usually, network equipment sends
packets at the Ethernet-standard maximum transmission unit (MTU) size of 1500 (including both payload and headers).
|
Minimum | If a TCP packet has an MSS value smaller than the minimum you set here, the packet is dropped. The smaller the data content is, the less efficient the communications become due to the fixed-size headers. Limiting the minimum size can help alleviate certain types of network attacks. Typically, the value you enter is not larger than the default minimum TCP Maximum Segment Size (536). |
Maximum | If a TCP packet has an MSS value larger than the maximum, the Engine overwrites the packet’s MSS with the maximum value you set here. Setting the maximum MSS size might be necessary to prevent fragmentation. Typically, the value you enter is lower than the standard Ethernet MTU (1500), taking the packet headers that are added to the MSS into account. |
Option | Definition |
---|---|
Advanced tab | |
DoS Protection Options section | |
Concurrent Connection Limit per Source IP and Concurrent Connection Limit per Destination IP |
Enter the maximum number of open connections from or to each IP address at any one time. These limits are enforced by rules that have their Action set to Allow or Continue, and when the VPN Action in an Action option is Apply VPN, Enforce VPN, or Forward. Be careful to apply the concurrent connection limits correctly for the types of communication that this rule handles to avoid cutting off connections unnecessarily. |
Action | The Action that is applied to new connections if the limit is reached.
|
Rate-Based DoS Protection | Defines whether rate-based DoS protection is applied to traffic that matches the rule.
|
Scan Detection | Defines whether scan detection is applied to traffic that matches the rule.
|
Option | Definition |
---|---|
Response tab | |
Override Settings Inherited from Continue Rule(s) | When selected, overrides settings defined in Continue rules higher up in the policy. |
User Response
(HTTP only) |
Specifies the automatic response that is shown to the end user when a connection is discarded. Click Select to select an element. You can use the default response or create a custom response. User Responses are not supported on Virtual Engines. |
Select Rule Action Options dialog box (Discard or Refuse)
Use this dialog box to override and specify the options for the Discard or Refuse action.
Option | Definition |
---|---|
Advanced tab | |
Scan Detection | Defines whether scan detection is applied to traffic that matches the rule.
|
Option | Definition |
---|---|
Response tab | |
Override Settings Inherited from Continue Rule(s) | When selected, overrides settings defined in Continue rules higher up in the policy. |
User Response
(HTTP only) |
Specifies the automatic response that is shown to the end user when a connection is discarded. Click Select to select an element. You can use the default response or create a custom response. User Responses are not supported on Virtual Engines. |
Select Rule Action Options dialog box (Jump)
Use this dialog box to override and specify the options for the Jump action.
Option | Definition |
---|---|
General tab | |
Forward Traffic To (Firewall/VPN role only) |
Select a Host or Proxy Server element to forward traffic to. Click Select to select an element.
There are similar restrictions than when configuring destination NAT rules. For example, if you forward to a host, the IP address range in the Destination field of the rule must be an equivalent size to the IP address range of the host. If you forward traffic to a proxy or a host, the NAT rules are ignored. If you use NAT rules, you must configure forwarding in NAT rules rather than Access rules. |
Option | Definition |
---|---|
General tab | |
VPN section | |
VPN Action (Firewall/VPN role only) |
To forward traffic into a VPN, select from the following options:
To apply the action to VPN client traffic in any mobile VPN, select Any Mobile VPN (IPv4 only). |
Option | Definition |
---|---|
General tab | |
Inspection Options section | |
Deep Inspection | Selects traffic that matches this rule for checking against the Inspection Policy referenced by this policy. Traffic is inspected as the Protocol that is attached to the Service
element in this rule.
|
File Filtering | Selects traffic that matches this rule for checking against the File Filtering Policy referenced by this policy.
|
Anti-Spam | The Anti-Spam feature is no longer supported in Engine version 6.2.0 and higher. |
Decryption | Defines whether traffic that matches the rule is decrypted for TLS inspection or by the SSM HTTP Proxy (Engines in the Firewall/VPN role only).
|
Option | Definition |
---|---|
Advanced tab | |
Connection Options section | |
Connection Tracking Mode |
|
Idle Timeout | The timeout (in seconds) after which inactive connections are closed. This timeout concerns only idle connections. Connections are not cut because of timeouts while the hosts are
still communicating. If you enter a timeout, this value overrides the setting defined in the Engine properties. CAUTION: Do not set long timeouts for many connections.
Each connection that is kept active consumes resources on the Engine. Setting excessive timeouts for many connections can lead to serious performance problems. Generally, the idle
timeout is not more than a few minutes.
|
Synchronize Connections | Defines whether connection information is synchronized between Engine cluster nodes. Disabling connection synchronization reduces the traffic volume on the active heartbeat
interface, but it also prevents transparent failover of connections to other nodes.
|
Enforce TCP MSS
(IPv4 Only) |
Defines whether TCP MSS is enforced. Headers are not included in the maximum segment size (MSS) value; MSS concerns only the payload of the packet. Usually, network equipment sends
packets at the Ethernet-standard maximum transmission unit (MTU) size of 1500 (including both payload and headers).
|
Minimum | If a TCP packet has an MSS value smaller than the minimum you set here, the packet is dropped. The smaller the data content is, the less efficient the communications become due to the fixed-size headers. Limiting the minimum size can help alleviate certain types of network attacks. Typically, the value you enter is not larger than the default minimum TCP Maximum Segment Size (536). |
Maximum | If a TCP packet has an MSS value larger than the maximum, the Engine overwrites the packet’s MSS with the maximum value you set here. Setting the maximum MSS size might be necessary to prevent fragmentation. Typically, the value you enter is lower than the standard Ethernet MTU (1500), taking the packet headers that are added to the MSS into account. |
Option | Definition |
---|---|
Advanced tab | |
DoS Protection Options section | |
Concurrent Connection Limit per Source IP and Concurrent Connection Limit per Destination IP |
Enter the maximum number of open connections from or to each IP address at any one time. These limits are enforced by rules that have their Action set to Allow or Continue, and when the VPN Action in an Action option is Apply VPN, Enforce VPN, or Forward. Be careful to apply the concurrent connection limits correctly for the types of communication that this rule handles to avoid cutting off connections unnecessarily. |
Action | The Action that is applied to new connections if the limit is reached.
|
Rate-Based DoS Protection | Defines whether rate-based DoS protection is applied to traffic that matches the rule.
|
Scan Detection | Defines whether scan detection is applied to traffic that matches the rule.
|
Option | Definition |
---|---|
Jump tab | |
Sub-Policy | Select a Sub-Policy. Connections that match the Jump rule are matched against the selected Sub-Policy. If the Sub-Policy rules do not match, processing continues with the
next rule in the main policy. Click Select to select an element. |
Select Rule Action Options dialog box (Apply Blacklist)
Use this dialog box to override and specify the options for the Apply Blacklist action.
Option | Definition |
---|---|
Advanced tab | |
Scan Detection | Defines whether scan detection is applied to traffic that matches the rule.
|
Option | Definition |
---|---|
Blacklisting tab | |
Allowed Blacklisters for This Rule |
Engines are always allowed to add entries to their own blacklists. |
Available Blacklisters | Elements that you can add to the Allowed Blacklisters list. |
Allowed Blacklisters |
The elements that are allowed to add blacklist entries. Click Add to add an element to the list, or Remove to remove the selected element. Add the Management Server to allow manual blacklisting through the Management Client. Add the Log Server to allow it to relay blacklisting requests from other Engines. |
Option | Definition |
---|---|
Response tab | |
Override Settings Inherited from Continue Rule(s) | When selected, overrides settings defined in Continue rules higher up in the policy. |
User Response
(HTTP only) |
Specifies the automatic response that is shown to the end user when a connection is discarded. Click Select to select an element. You can use the default response or create a custom response. User Responses are not supported on Virtual Engines. |