Configuring default settings for several Access rules

The Continue action allows you to set default values for some settings in rules to avoid defining the same settings for several rules individually.

When a connection matches a rule with Continue as the action, some of the rule’s settings are written in memory but the matching continues until another rule that matches is found. This matching rule uses the defaults set in the Continue rule unless the rule specifically overrides the defaults with different settings. This way, you do not have to define the settings for each rule separately.

You can use Continue rules to set default settings for a general type of traffic and define settings for individual rules only when required. There are also default values that are used for rules that are set to use the values of a Continue rule, but there is no previous matching Continue rule.

The options that can be set using Continue rules in Access rules include:
  • The Connection Tracking option:
    • For Firewalls, the default is on.
    • Idle Time-out also overrides the global defaults set in the engine’s properties.
    • The concurrent connection limits define the maximum number of connections allowed from a single source or destination IP address.
  • The logging options (for Firewalls, the default is Stored).
  • The Protocol option inside the Service used (for Firewalls, this option is used to apply a Protocol to rules with ANY as their Service).
  • The QoS Class (default is that no specific QoS Class is assigned).

Continue rules are defined the same way as other rules. However, you must remember that when any of the options listed above is set in the Continue rule, many or even all rules below can be affected. The Continue rule options are used by the rules below if the source, destination, service port, and the optional source VPN match the same connection as the Continue rule. Continue rules are inherited from Template Policies into lower-level templates and policies like any other rules.

Continue rules behave in the same way as any other rules. A Continue rule can be overridden by:
  • A later Continue rule that has an identical scope (such as Source and Destination)
  • Partially overridden by a Continue rule that partially overlaps with the previous Continue rule
  • A rule with the Allow or Apply VPN action that has an identical scope and specifies different settings.
When you define Continue rules with different matching criteria, you can have several Continue rules one after another without them interfering with each other in any way at all.

Sub-Policies might require special attention with Continue rules: the Sub-Policies can have different options when you insert them into different policies if the Sub-Policy rules do not override the options set by preceding Continue rules. Also, when a Sub-Policy contains a Continue rule, the options are then used for further matching in the higher-level policy (if the processing returns to the higher-level policy).