Considerations for designing Access rules

One of the crucial issues in designing policies is the order of the rules.

Rules are read from the top down. The actions Allow, Refuse, Discard, and Use VPN (Firewall only) stop the processing from continuing down the rule table for any connection that matches the rule. You must place rules with any of these actions so that the more limited the rule is in scope, the higher up in the rule table it is.

Example: An Access rule that allows connections to the IP address 192.168.10.200 must be put above an Access rule that stops all connections to the network 192.168.10.0/24.

In Firewall and Layer 2 Firewall policies, traffic that does not match any of the Access rules by the end of the policy is discarded by default. In IPS policies, traffic that does not match any of the Access rules by the end of the policy is allowed by default. In Layer 2 Interface Policies, the final action depends on the type of interface. Inline Layer 2 Firewall Interfaces discard all traffic. Capture Interfaces and Inline IPS Interfaces allow all traffic.