Access rule matching based on the payload of connections

When you use some types of Service elements in Access rules, the NGFW Engine can only determine whether the connection matches a rule when the payload of the packets is checked against the Access rules.

When you use elements such as Network Applications, URL Categories, or URL List Applications in the Service field of an Access rule, matching is based on the payload of the packets. When the first SYN packet of a new connection is processed, the NGFW Engine cannot determine whether the connection matches the Access rule. The NGFW Engine can only determine whether the connection matches the Access rule when the NGFW Engine processes, for example an HTTP request in an HTTP connection.

The NGFW Engine checks traffic against the Access rules from the top down. Matching criteria that do not depend on the payload of the connection, such as the source and destination IP address and port, are always evaluated first. If a connection might still match another rule that allows traffic, the connection is considered potentially allowed. When enough of the payload has been processed, the number of rules that could potentially allow the connection gets smaller.

When traffic matches a rule that tells the NGFW Engine to allow or discard the packet, the NGFW Engine stops checking traffic against the Access rules. Because the first matching rule defines how the first packet is forwarded, connections might not match the intended rule.

Application routing

You must use network applications that have the Application Routing tag because the routing decision is made based on the application that is detected in the traffic. For other network applications, if the network application cannot immediately be identified, the routing decision is made according to the first rule that could potentially allow the connection.

Routing decisions are delayed until enough of the payload has been processed to identify the network application. If you use features that are not compatible with delaying the decision, use more specific source and destination criteria in the rules, or change the rule order.

If a rule that could potentially allow the connection activates a feature that is not compatible with delaying the routing decision, the decision is made according to the first rule that could potentially allow the connection.

Important: After the routing decision has been made, the NGFW Engine might later identify a different application in the connection. If the application that is detected would cause a different routing decision to be made, the connection might be discarded.