Example: firewall Access rule order

An example of how Access rule order affects traffic matching.

Company A has an office network, a DMZ for WWW servers, and a second DMZ for an FTP server. The administrators only need to add rules for the DMZ traffic.

Figure: Company A's communication of special interest



The WWW servers must be accessible to anyone from both internal and external networks. HTTP traffic is inspected against the Inspection rules, excluding the administrators’ own PCs (on the right in the illustration) because they often test the servers for vulnerabilities. The FTP server is accessible to all users in the general office network, but only to certain external users (on the left) that authenticate using an external authentication server.

The administrators:

  1. Create Host elements for the WWW servers, the FTP server, and the administrators’ PCs.
  2. Create a Group element that contains the WWW server Host elements.
  3. Create a Group element that contains the administrator PCs’ Host elements.
  4. Configure an external authentication server for use with the Firewall.
  5. Create User and User Group elements for the allowed external FTP users.
  6. Add IPv4 Access rules with the Allow action for access to the DMZs:
Table 1. Access rules for the DMZ
Source Destination Service Authentication Action
“Administrator PCs” Group “WWW Servers” Group “HTTP” Service   Allow (Deep Inspection Off)
ANY “WWW Servers” Group “HTTP” Service   Allow (Deep Inspection On)
Network element for Office Network “FTP Server” Host “FTP” Service   Allow (Deep Inspection Off)
ANY “FTP Server” Host “FTP” Service

Users tab: “External Users” User Group

Authentication Methods tab: A suitable authentication method

Allow (Deep Inspection Off)
  • As seen in the rule table, there are two rules for traffic to both the WWW servers and the FTP server.
  • The rules are arranged so that the more specific rules are above the more general rules.

    For example, the rule allowing administrators to connect to the WWW servers without checking against the Inspection rules is above the more general rule. The general rule allows any connection to the servers as subject to the Inspection rules.

  • If the first two rules were in the opposite order, the rule specific to administrators would never match, as the rule with the source as ANY would be applied first. The connection would be allowed according to that general rule, and the firewall would stop checking the rule table.