Define Action options for the Jump action in Access rules
The Jump action directs traffic to a Sub-Policy.
The Jump action in IPv4 Access rules, and Firewall IPv6 Access rules adds a conditional section of rules to the policy. If a connection matches the Jump rule’s matching criteria, it is matched against the rules in the Sub-Policy.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Right-click the Action cell, then select Jump.
- Set the options, then click OK.
Select Rule Action Options dialog box (Jump)
Use this dialog box to override and specify the options for the Jump action.
Option | Definition |
---|---|
Jump tab | |
Sub-Policy | Select a Sub-Policy. Connections that match the Jump rule are matched against the selected Sub-Policy. If the Sub-Policy
rules do not match, processing continues with the next rule in the main policy. Click Select to select an element. |
Option | Definition |
---|---|
Inspection tab, Inspection options | |
Deep Inspection | Selects traffic that matches this rule for checking against the Inspection Policy referenced by this policy. Traffic
is inspected as the Protocol that is attached to the Service element in this rule.
|
File Filtering | Selects traffic that matches this rule for checking against the File Filtering Policy referenced by this policy.
|
Anti-Spam | The Anti-Spam feature is no longer supported in NGFW version 6.2.0 and later. |
Decryption | Defines whether traffic that matches the rule is decrypted for TLS inspection or by the SSM HTTP Proxy (NGFW Engines in the
Firewall/VPN role only).
|
Option | Definition |
---|---|
Inspection tab, Connection Options | |
Connection Tracking Mode | Select one of these options:
|
Idle Timeout | The timeout (in seconds) after which inactive connections are closed. This timeout concerns only idle connections.
Connections are not cut because of timeouts while the hosts are still communicating. If you enter a timeout, this value overrides the setting defined in the engine properties. CAUTION: Do not set long timeouts for many connections. Each connection that
is kept active consumes resources on the engine. Setting excessive timeouts for many connections can lead to serious performance
problems. Generally, the idle timeout is not more than a few minutes.
|
Synchronize Connections | Defines whether connection information is synchronized between engine cluster nodes. Disabling connection
synchronization reduces the traffic volume on the active heartbeat interface, but it also prevents transparent failover of connections
to other nodes.
|
Enforce TCP MSS
(IPv4 Only) |
Defines whether TCP MSS is enforced. Headers are not included in the maximum segment size (MSS) value; MSS concerns
only the payload of the packet. Usually, network equipment sends packets at the Ethernet-standard maximum transmission unit (MTU) size
of 1500 (including both payload and headers).
|
Minimum | If a TCP packet has an MSS value smaller than the minimum you set here, the packet is dropped. The smaller the data content is, the less efficient the communications become due to the fixed-size headers. Limiting the minimum size can help alleviate certain types of network attacks. Typically, the value you enter is not larger than the default minimum TCP Maximum Segment Size (536). |
Maximum | If a TCP packet has an MSS value larger than the maximum, the engine overwrites the packet’s MSS with the maximum value you set here. Setting the maximum MSS size might be necessary to prevent fragmentation. Typically, the value you enter is lower than the standard Ethernet MTU (1500), taking the packet headers that are added to the MSS into account. |
Option | Definition |
---|---|
Inspection tab, DoS Protection Options | |
Concurrent Connection Limit per Source IP and Concurrent Connection Limit per Destination IP |
The maximum number of open connections from or to each IP address at any one time. You can select between Discard (silent drop) and Refuse (with ICMP error message) as the Action that is applied to new connections if the limit is reached. These limits are enforced by rules that have their Action set to Allow, Continue, or Use VPN (all VPN actions, Apply, Enforce, or Forward, are included). Be careful to apply the concurrent connection limits correctly for the types of communication that this rule handles to avoid cutting off connections unnecessarily. |
Action | The Action that is applied to new connections if the limit is reached.
|
Rate-Based DoS Protection | Defines whether rate-based DoS protection is applied to traffic that matches the rule.
|
Scan Detection | Defines whether scan detection is applied to traffic that matches the rule.
|