Network all-nets and Source/Destination Interface all. This allows logging to be turned on for
traffic that matches no IP rule.
3.6.3. IP Rule
An IP Rule object consists of two parts:
• The filtering criteria which target the traffic that the rule is aimed at.
• The action that the rule will perform on that traffic.
IP Rule Filters
The filtering parameters of an IP rules are as follows:
• Source Interface.
• Source Network.
• Destination Interface.
• Destination Network.
• Service (this identifies the protocol of the traffic).
In addition, geolocation filters can be applied to the source and destination networks so that
certain countries or regions can be targeted by the rule.
The Service in an IP rule can be important because if an Application Layer Gateway object is to be
applied to traffic then it must be associated with a service object (see Section 6.2, “ALGs”).
IP Rule Actions
When an IP rule is triggered by a match then one of the following Actions can occur:
• Allow
The packet is allowed to pass. As the rule is applied to only the opening of a connection, an
entry in the "state table" is made to record that a connection is open. The remaining packets
related to this connection will pass through the NetDefendOS "stateful engine".
• FwdFast
Let the packet pass through the NetDefend Firewall without setting up a state for it in the
state table. This means that the stateful inspection process is bypassed and is therefore less
secure than Allow or NAT rules. Packet processing time is also slower than Allow rules since
every packet is checked against the entire rule set.
Instead of using an IP Rule object, the FwdFast functionality can alternatively be configured
using a Stateless Policy object. This is described in Section 3.6.8, “Stateless Policy”.
• NAT
This functions like an Allow rule, but with dynamic address translation (NAT) enabled (see
Section 7.2, “NAT” in Chapter 7, Address Translation for a detailed description).
• SAT
Chapter 3: Fundamentals
233
To Next Page
Loading...
