Rule order for Inspection Policy elements

The rules in Inspection Policy elements are read from the top down. More specific rules must be placed above more general rules that match the same traffic.

The detailed rules specific to some IP addresses and Protocols are defined on the Exceptions tab. The general rules that are applied to remaining traffic are defined in the Rules tree on the Inspection tab.

The traffic matching in Inspection rules and exceptions is different from other types of rules because it is done based on the traffic pattern definitions in Situation elements. The NGFW Engines inspect the traffic for all patterns included in the policy. When a pattern is found, the Inspection rules and exceptions match based on the Situation element that contains the detected pattern. Inspection rules and exceptions match certain patterns only. Non-matching traffic is allowed through without taking any actions.
Note: Each Situation element is a unique pattern. Avoid defining the same pattern in different Situation elements. Duplicate situations in the policy can create unintended results and makes the policies difficult to manage.

Inspection rules and exceptions can look different even if they refer to the same Situation because Situations can be grouped using Situation Tag and Situation Type elements. However, the rules match patterns in the same way whether you add the Situation as a single element or together with other Situations through a Situation Tag or Situation Type.

Because traffic matching is based on the traffic pattern definitions in Situation elements, the behavior of the Inspection rules and exceptions can change without anyone editing the policy directly. For example, creating a Situation element can include the Situation in the policy if the Situation is associated with a Situation Tag or Situation Type element that is used in the policy.

The Permit and Terminate actions in Inspection rules and exceptions have different effects on policy processing when a rule matches.

  • Permit — Allows traffic that matches the traffic pattern. A Permit action does not unconditionally allow the traffic because processing continues to look for other patterns. However, a Permit match does prevent the same Situation from matching again if it appears at any point further down in the policy.
  • Terminate — Stops traffic that matches the pattern. The Terminate action prevents the same Situation from matching again if it appears at any point further down in the policy, but does not prevent other Situations from matching.
For example, there is a rule that contains Situation A with Permit as the action and the logging level set to “None”. There is a second rule that contains Situation A below the first rule with Terminate as the action and the logging level set to “Stored”. Because traffic already matched the rule that permits traffic that matches Situation A, no log entries are generated for Situation A and the traffic that matches the pattern continues uninterrupted.