Inserting the Service with Protocol Agent in Firewall Access rules

Whether you create a custom Service or use a predefined Services that have a Protocol Agent attached to them, define the traffic in the Access rules in your policies.

A Protocol Agent can be set either on a rule-by-rule basis or you can create a rule with Continue as the Action. When there is a Continue rule, rules further down in the rule table that match traffic (same source and destination) use the Protocol Agent defined in the Continue rule.

With Protocol Agents, the Continue rule affects only rules where the Service cell is set to ANY. More specific Service definitions override the Continue rule, as all Service elements specify that either some particular Protocol Agent or no Protocol Agent is used.

Some protocols might require a Protocol Agent if the Connection Tracking option is enabled for the rule. Those protocols might not be allowed by a rule that has ANY as its Service unless a Protocol Agent is configured using a previous matching Continue rule. The Firewall Template Policy contains a Continue rule that sets a Protocol Agent to be used with Services in the Service Group called Default Services with Agents.

Protocol Agents validate traffic against the specifics of a particular protocol, so make sure that a Service is not applied to traffic that does not use that protocol. Also, Protocol Agents are designed for particular types of uses, so they might not always be appropriate even if the protocol matches.