Access rule matching based on the payload of connections
When you use some types of Service elements in Access rules, the NGFW Engine can only determine whether the connection matches a rule when the payload of the packets is checked against the Access rules.
When you use elements such as Network Applications, URL Categories, or URL List Applications in the Service field of an Access rule, matching is based on the payload of the packets. When the first SYN packet of a new connection is processed, the NGFW Engine cannot determine whether the connection matches the Access rule. The NGFW Engine can only determine whether the connection matches the Access rule when the NGFW Engine processes, for example an HTTP request in an HTTP connection.
The NGFW Engine checks traffic against the Access rules from the top down. Matching criteria that do not depend on the payload of the connection, such as the source and destination IP address and port, are always evaluated first. If a connection might still match another rule that allows traffic, the connection is considered potentially allowed. When enough of the payload has been processed, the number of rules that could potentially allow the connection gets smaller.
When traffic matches a rule that tells the NGFW Engine to allow or discard the packet, the NGFW Engine stops checking traffic against the Access rules. Because the first matching rule defines how the first packet is forwarded, connections might not match the intended rule.
Application routing
You must use network applications that have the Application Routing tag because the routing decision is made based on the application that is detected in the traffic. For other network applications, if the network application cannot immediately be identified, the routing decision is made according to the first rule that could potentially allow the connection.
Routing decisions are delayed until enough of the payload has been processed to identify the network application. If you use features that are not compatible with delaying the decision, use more specific source and destination criteria in the rules, or change the rule order.
If a rule that could potentially allow the connection activates a feature that is not compatible with delaying the routing decision, the decision is made according to the first rule that could potentially allow the connection.
Snort inspection
We do not recommend using services that match based on the payload of connections, such as Network Applications, URL Categories, or URL List Applications, in Access rules that select traffic for Snort inspection. At the beginning of a connection, the NGFW Engine cannot determine whether the traffic should be selected for Snort inspection. The NGFW Engine selects all potentially matching traffic for Snort inspection. As a result, Snort inspection might be applied to traffic that was not intended to be selected for Snort inspection. Applying Snort inspection to this traffic can create false positive Snort rule matches.