Using Continue rules to set the Protocol in Access rules

The default Protocol can be set using the Continue action.

This way, the correct Protocol is also used for traffic that is allowed by rules that are set to match any Service. These rules have no particular Service element that would set the correct protocol). This setting can even be mandatory, for example, if you want to allow certain protocols that allocate ports dynamically. On Firewalls, the Protocol is needed to associate the traffic with the correct protocol for further inspection and to handle some types of traffic, such as FTP, correctly. The IPS Template and the Layer 2 Firewall Template include several Continue rules that associate all traffic with Protocols according to standard ports. The Firewall Template includes one Continue rule that defines that Protocols of the type Protocol Agent are used for the Service Group Default Services with Agents.

Figure: Protocol Agent rule in Firewall Template



You can set a Protocol for more types of protocols or override the Default rule shown in the illustration above for some or all connections. Do this by placing one or more Continue rules at the top or some other suitable place in your own template or policy. The Source and Destination can be some specific addresses if you want to limit the scope of your Continue rules.
Note: A rule that matches the same source, destination, and service port as the Continue rule and specifies an Protocol of the types Protocol Agent, Protocol Tag, or SSM Proxy for the Service overrides the default set in the Continue rule. To avoid this limitation, do not add rules that specify these types of Protocols for the same matching criteria as the Continue rules.

If you have TCP and UDP services set up in your network under non-standard ports, the traffic might not be associated to the correct protocol. The traffic could therefore inspected at a more general (TCP or UDP) level. In this case, you can create your own custom Service and add it in your policy to have the traffic inspected with the correct protocol information. Only some protocols and some of their parameters are supported in the services that are used in IPS policies.

You can also add your own rules for the opposite purpose: to have some traffic not inspected as a particular protocol, but more generally as TCP or UDP traffic. In this case, you add a rule in your policy that includes the general TCP or UDP Service element from the IP-proto branch of the Services tree.