Define Source, Destination, and Service criteria in rules
You can create detailed sets of matching criteria for the rule in the Source, Destination, and Service cells.
You can create Source and Destination Definitions for the following types of rules:
- All types of rules in Firewall Policies.
- IPv4 and IPv6 Access rules in IPS, Layer 2 Firewall, and Layer 2 Interface Policies.
The following types of items can be used as matching criteria:
User | IP Address | Domain Name | Zone |
---|---|---|---|
|
Any element from the Network Elements branch that directly represents an IP address. | Domain Name elements. If DNS Server IP addresses have been defined in the engine properties, the engine automatically resolves the Internet domain names to IP addresses. | Zone elements for interface matching. |
You can create Service Definitions for the following types of rules:
- IPv4 and IPv6 Access rules, and IPv4 and IPv6 NAT rules in Firewall policies.
- IPv4 and IPv6 Access rules in IPS, Layer 2 Firewall Policies, and Layer 2 Interface Policies.
The following types of items can be used as matching criteria:
Network Application | Service (Port) | TLS Match |
---|---|---|
Network Application elements for application detection and application routing. |
TCP and UDP Service elements In NAT rules that forward traffic to a proxy server, the supported protocols depend on the proxy server to which traffic is forwarded. If the row contains both a Network Application element and a Service element, the ports specified in the Service element override the ports specified in the Network Application elements. When the row contains a Network Application element, you can also specify which ports traffic matches without adding a Service element. |
(IPv4 and IPv6 Access rules only) TLS Match elements for application detection. TLS Match elements must be used with Network Application elements that contain a TLS Match. |
For more details about the product and how to configure features, click Help or press F1.
Steps
- Right-click the Source, Destination, or Service cell, then select Edit Source, Edit Destination, or Edit Service.
-
For each row of matching criteria that you want to add:
- Click OK.
Rule Definitions dialog box (Source or Destination)
Use this dialog box to configure definitions of sources or destinations in policy rules.
Option | Definition |
---|---|
Resources pane. You can drag and drop elements from this pane. | |
Search | Opens a search field for the selected element list. |
Up | Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy. |
Tools |
|
Definitions table. Click Add Row to add a row to the table, or Remove Row to remove the selected row. | |
User | User and User Group elements for users stored on an integrated Active Directory server. |
IP Address | Any element from the Network Elements branch that directly represents an IP address. |
Domain Name | Domain Name elements used for matching. If DNS Server IP addresses have been defined in the engine properties, the engine automatically resolves the Internet domain names to IP addresses. |
Zone | Zone elements used for interface matching. |
Endpoint Application | The Endpoint Application elements used for matching. Not supported for the Destination cell. |
Endpoint Settings | The Endpoint Settings elements used for matching. Not supported for the Destination cell. |
Rule Service Definitions dialog box
Use this dialog box to configure definitions of services in policy rules.
Option | Definition |
---|---|
Resources | Use this pane to add elements to a service definition. |
Search | Opens a search field for the selected element list. |
Up | Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy. |
Tools |
|
Service Definitions table Click Add to add a row to the table, or Remove to remove the selected row. |
|
Network Application
(Optional) |
Specifies the Network Applications that the service definition matches. |
Service (Port)
(Optional) |
Specifies the ports that the service definition matches. You can add TCP and UDP Service elements, or right-click the cell to specify which ports traffic matches when the row contains a Network Application element. In NAT rules that forward traffic to a proxy server, the supported protocols depend on the proxy server to which traffic is forwarded. Note: If the row contains both a Network Application element and a Service element, the ports specified in the Service element override the ports specified in the Network
Application elements.
This cell has the following right-click options:
|
TLS Match
(Optional) |
Specifies the TLS Match elements for application detection. TLS Match elements must be used with Network Application elements that contain a TLS Match. |