Define Source, Destination, and Service criteria in rules

You can create detailed sets of matching criteria for the rule in the Source, Destination, and Service cells.

You can create Source and Destination Definitions for the following types of rules:

  • All types of rules in Firewall Policies.
  • IPv4 and IPv6 Access rules in IPS, Layer 2 Firewall, and Layer 2 Interface Policies.

The following types of items can be used as matching criteria:

Table 1. Matching criteria for Source and Destination Definitions
User IP Address Domain Name Zone
  • User names and groups of user names of users that have authenticated to the NGFW Engine.
  • User and User Group elements for users stored on an integrated Active Directory server in an environment with a Forcepoint User ID Service server installed and configured.
Any element from the Network Elements branch that directly represents an IP address. Domain Name elements. If DNS Server IP addresses have been defined in the engine properties, the engine automatically resolves the Internet domain names to IP addresses. Zone elements for interface matching.
Note: VPN and NAT operations can change the routing of packets, potentially causing packets that no longer match the Destination Zone of an Access rule to be discarded.

You can create Service Definitions for the following types of rules:

  • IPv4 and IPv6 Access rules, and IPv4 and IPv6 NAT rules in Firewall policies.
  • IPv4 and IPv6 Access rules in IPS, Layer 2 Firewall Policies, and Layer 2 Interface Policies.

The following types of items can be used as matching criteria:

Table 2. Matching criteria for Service Definitions
Network Application Service (Port) TLS Match
Network Application elements for application detection and application routing.

TCP and UDP Service elements

In NAT rules that forward traffic to a proxy server, the supported protocols depend on the proxy server to which traffic is forwarded.

If the row contains both a Network Application element and a Service element, the ports specified in the Service element override the ports specified in the Network Application elements.

When the row contains a Network Application element, you can also specify which ports traffic matches without adding a Service element.

(IPv4 and IPv6 Access rules only) TLS Match elements for application detection. TLS Match elements must be used with Network Application elements that contain a TLS Match.
Note: You cannot use Network Application elements and Service elements on different rows of the same Service Definition.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the Source, Destination, or Service cell, then select Edit Source, Edit Destination, or Edit Service.
  2. For each row of matching criteria that you want to add:
    1. Click Add Row.
    2. Drag and drop elements from the list on the left to the correct cell in the row.
      Note: All items on the same row must match the traffic for the row to match. You do not have to insert elements into all cells on the same row.
  3. Click OK.

Rule Definitions dialog box (Source or Destination)

Use this dialog box to configure definitions of sources or destinations in policy rules.

Option Definition
Resources pane. You can drag and drop elements from this pane.
Filter Allows you to filter the elements shown.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools A menu that contains various options, such as for creating new elements or showing elements that have been moved to the Trash.
Definitions table. Click Add Row to add a row to the table, or Remove Row to remove the selected row.
User User and User Group elements for users stored on an integrated Active Directory server.
IP Address Any element from the Network Elements branch that directly represents an IP address.
Domain Name Domain Name elements used for matching. If DNS Server IP addresses have been defined in the engine properties, the engine automatically resolves the Internet domain names to IP addresses.
Zone Zone elements used for interface matching.
Endpoint Application The Endpoint Application elements used for matching. Not supported for the Destination cell.
Endpoint Settings The Endpoint Settings elements used for matching. Not supported for the Destination cell.

Rule Service Definitions dialog box

Use this dialog box to configure definitions of services in policy rules.

Option Definition
Resources Use this pane to add elements to a service definition.
Search Opens a search field for the selected element list.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools
  • New — Opens the associated dialog box to create an element.
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
Service Definitions table

Click Add to add a row to the table, or Remove to remove the selected row.

Network Application

(Optional)

Specifies the Network Applications that the service definition matches.
Service (Port)

(Optional)

Specifies the ports that the service definition matches. You can add TCP and UDP Service elements, or right-click the cell to specify which ports traffic matches when the row contains a Network Application element.

In NAT rules that forward traffic to a proxy server, the supported protocols depend on the proxy server to which traffic is forwarded.

Note: If the row contains both a Network Application element and a Service element, the ports specified in the Service element override the ports specified in the Network Application elements.

This cell has the following right-click options:

  • Automatic Port Selection — When selected, the ports that traffic matches are selected automatically depending on the action specified in the rule.

    For rules that allow traffic and for rules with the Continue action, traffic matches on the standard ports defined in the Network Application element. For rules that stop traffic, traffic matches any port where the application can be detected.

  • Any Port — When selected, traffic matches any port where the application can be detected.
  • Standard Ports — When selected, traffic matches only the standard ports defined in the Network Application element.
TLS Match

(Optional)

Specifies the TLS Match elements for application detection. TLS Match elements must be used with Network Application elements that contain a TLS Match.