NSA3600 Rules priority
Den Newbie ✭
I have around 400 rules on my NSA3600 pair. For example from ZONE1 to ZONE2 I have 10 rules and in the bottom I have default rule with 'deny any'.
Now i changed action in default rule from 'deny' to 'allow' and want to put this rule in the top of list rules for this zone. How it can influence on another rules priorities in current zone and in another zones as well?
Thank you in advance.
Category: Firewall Management and Analytics
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
if you're running a current firmware you should be able to accomplish this very easily just by setting the Priority in the specific rule to manual and give a number to put in the right place, 1 for highest. Or just click on the arrows in the Priority column which does the same.
The other rules in your zone should be untouched, except the priorities might get changed, because you have a new number #1.
When Packets traverse a network Administrators might want to deny certain traffic that is unwanted. The most basic way of blocking certain network is to implement a Packet Filter. A Packet Filter will examine Packets going through the Filter and will decide, based on a list of rules, whether a Packet is allowed or is denied.
A Packet Filter will always compare the received packet with the list of rules from top to bottom until it finds a rule that matches the Packet. Depending on the Packet Filter the order of rules can be either manually adjusted, the order of rules is set in the sequence it is programmed or the Packet Filter decides on the rule itself in which order it should be placed.
In this last case a rule of thumb is:
-More specific rules precede more general rules;
-Deny precedes allow.
(In general) A rule in a Packet Filter consists out of four parts (in SonicOS case there's also order number is taking into account, Priority, Schedule, Included Users, Excluded Users, but I'm using only the usual tuples which are used in any device, not vendor specific, just for showcasing the importance of understanding how a set of rules are dynamically assigned priority depending on their specificity):
-Service / Port;
Source and Destination can either be a host IP, a contiguous range of IP Addresses or an entire subnet. The Service or Port can be either a single Port or a contiguous range of ports. The Action has three options:
-Allow, which will allow the Packet to traverse;
-Deny, which will reset the connection;
-Discard, which will drop the Packet.
The difference between Deny and Discard is that with Deny the sender gets a reset packet send back.
For example if you look at the following list of rules:
Source Destination Service Action
Any 192.168.1.1 Any Allow
Any 10.10.11.2 HTTP Allow
192.168.2.0 172.16.254.3 Any Deny
Any Any Any Deny
Any 10.10.11.2 HTTP Deny
Any Any DNS Allow
192.168.2.0 10.10.11.2 HTTP Allow
They will be placed in the following order:
Nr Source Destination Service Action
1 192.168.2.0 10.10.11.2 HTTP Allow
2 192.168.2.0 172.16.254.3 Any Deny
3 Any 10.10.11.2 HTTP Deny
4 Any 10.10.11.2 HTTP Allow
5 Any 192.168.1.1 Any Allow
6 Any Any DNS Allow
7 Any Any Any Deny
In SonicOS case you will have other variables who can influence this, but I believe the above example brings clarity on why the Access Rules are re-ordered when a new one has been added. Of-course, you can override the auto-assigned priority and move your rules higher to obtain whatever desired behaviour you want for your flows.
Hope that answered your request.
Kind regards, Stan.
Solutions Architect at SonicWall. Feel free to @Stan if you have any questions on any product.