Inspection rules tree and how it works

The rules tree is the main tool for controlling deep packet inspection in Inspection Policy elements.

The rules tree on the Inspection tab in Inspection Policies allows you to define what action the engine takes when Situation matches are found and how they are logged. To edit these rules, click the Action cell or the Logging cell of a rule and select the suitable option. The definitions on the Exceptions tab are matched before the Rules tree on the Inspection tab.

In the rules tree, items that have subitems are Situation Type elements. The items that have no subitems are individual Situation and Correlation Situation elements. The rules tree contains all Situation Types and the Situations associated with them.

All levels of the rules tree are editable. By default, subitems inherit the Action and Logging options from their parent item. If a subitem has any setting that differs from the parent item's settings, this is regarded an override. If you change a value in an item that has subitems, all subitems that are set to use the default value inherit this change. Any subitems that are set to an override continue to use that override.

Example

The parent item and 10 of the subitems are set to use the “Permit (Default)” action. Two of the subitems are set to use the “Permit” action. You change the parent to use the “Terminate” action. Ten subitems change to “Terminate (Default)”. Two subitems continue to use “Permit”.

Figure: How overrides are highlighted in the rules tree.

1

Overrides

2

Default values shown in italics