Rule order for Inspection Policy elements
The rules in Inspection Policy elements are read from the top down. More specific rules must be placed above more general rules that match the same traffic.
The detailed rules specific to some IP addresses and Protocols are defined on the Exceptions tab. The general rules that are applied to remaining traffic are defined in the Rules tree on the Inspection tab.
Inspection rules and exceptions can look different even if they refer to the same Situation because Situations can be grouped using Situation Tag and Situation Type elements. However, the rules match patterns in the same way whether you add the Situation as a single element or together with other Situations through a Situation Tag or Situation Type.
Because traffic matching is based on the traffic pattern definitions in Situation elements, the behavior of the Inspection rules and exceptions can change without anyone editing the policy directly. For example, creating a Situation element can include the Situation in the policy if the Situation is associated with a Situation Tag or Situation Type element that is used in the policy.
The Permit and Terminate actions in Inspection rules and exceptions have different effects on policy processing when a rule matches.
- Permit — Allows traffic that matches the traffic pattern. A Permit action does not unconditionally allow the traffic because processing continues to look for other patterns. However, a Permit match does prevent the same Situation from matching again if it appears at any point further down in the policy.
- Terminate — Stops traffic that matches the pattern. The Terminate action prevents the same Situation from matching again if it appears at any point further down in the policy, but does not prevent other Situations from matching.