Overview of Access rules

Access rules are traffic handling rules in which you define the details of traffic examination and which action to take when matching details are found.

The IPv4 and IPv6 Access rules are stored in policy elements.

Access rules apply to all network interfaces, unless you use Zone elements to match traffic based on which interfaces traffic passes through.

The traffic matching is based on the information contained in the packets:

  • Source and destination IP addresses.
  • Protocol-specific information, such as the port information for protocols that use ports.
  • Payload data in the packets, such as HTTP requests in an HTTP connection.
Additional matching criteria that is not based on information in the packets includes:
  • The interface the traffic is coming from or going to. This allows you to restrict which traffic is allowed through which interfaces in more detail than basic antispoofing.
  • (Firewalls only) The VPN the traffic is coming from (on an engine where that VPN terminates). This allows creating rules that apply to VPN traffic only, or rules that apply to all traffic except VPN traffic.
  • (Firewalls only, IPv4 only) User authentication (allowing you to create rules that define the end users who are allowed to make connections and the authentication methods for the end users).
  • The User or User Group of a user who has logged on to an integrated Microsoft Active Directory domain (allowing you to create user-specific rules without configuring authentication).
  • The day of the week and the time of day (allowing you to enforce rules only during certain times, such as working hours).
The Access rules provide several different ways to react when some traffic is found to match a rule. You can:
  • Specifically allow the traffic.
  • (Firewalls only, IPv4 only) Allow the traffic on the condition that the user has passed authentication.
  • (Firewalls only) Allow the traffic on the condition that a VPN is established.
  • (Firewalls only) Allow the traffic on the condition that the same source or destination IP address does not have an excessive number of connections already open (concurrent connection limit).
  • Allow the traffic with inspection against the Inspection Policy.
  • Allow the traffic without further inspection.
  • (Firewalls and inline interfaces only) Specifically stop the traffic.

Regardless of which of the above actions is taken, a matching rule can also create a log or alert entry.

In addition to traffic allowed by the Access rules, Firewalls allow the following types of traffic:

  • Traffic that is allowed automatically based on the NGFW Engine configuration or by static rules generated by the Management Server.
  • Traffic that is allowed by automatic rules for traffic to and from the engine.
  • Traffic that is allowed by the default template on which the Firewall Policy is based.

Firewalls automatically allow the following types of traffic with specific configurations:

  • DHCP requests and replies for an interface for which a DHCP server is enabled.
  • DHCP requests and replies for an interface that has a dynamic IP address.
  • State synchronization between cluster nodes.
  • IPv6 Neighbor Discovery traffic.