Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NSA3600 Rules priority

Hi all, 

I have around 400 rules on my NSA3600 pair. For example from ZONE1 to ZONE2 I have 10 rules and in the bottom I have default rule with 'deny any'.  

Now i changed action in default rule from 'deny' to 'allow' and want to put this rule in the top of list rules for this zone. How it can influence on another rules priorities in current zone and in another zones as well?


Thank you in advance.

Category: Firewall Management and Analytics
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Den,

    if you're running a current firmware you should be able to accomplish this very easily just by setting the Priority in the specific rule to manual and give a number to put in the right place, 1 for highest. Or just click on the arrows in the Priority column which does the same.

    The other rules in your zone should be untouched, except the priorities might get changed, because you have a new number #1.

    --Michael@BWC

  • StanStan Moderator
    edited March 2020

    Dear Den,

    When Packets traverse a network Administrators might want to deny certain traffic that is unwanted. The most basic way of blocking certain network is to implement a Packet Filter. A Packet Filter will examine Packets going through the Filter and will decide, based on a list of rules, whether a Packet is allowed or is denied.

    A Packet Filter will always compare the received packet with the list of rules from top to bottom until it finds a rule that matches the Packet. Depending on the Packet Filter the order of rules can be either manually adjusted, the order of rules is set in the sequence it is programmed or the Packet Filter decides on the rule itself in which order it should be placed.

    In this last case a rule of thumb is:

    -More specific rules precede more general rules;

    -Deny precedes allow.

    (In general) A rule in a Packet Filter consists out of four parts (in SonicOS case there's also order number is taking into account, Priority, Schedule, Included Users, Excluded Users, but I'm using only the usual tuples which are used in any device, not vendor specific, just for showcasing the importance of understanding how a set of rules are dynamically assigned priority depending on their specificity):

    -Source;

    -Destination;

    -Service / Port;

    -Action.

    Source and Destination can either be a host IP, a contiguous range of IP Addresses or an entire subnet. The Service or Port can be either a single Port or a contiguous range of ports. The Action has three options:

    -Allow, which will allow the Packet to traverse;

    -Deny, which will reset the connection;

    -Discard, which will drop the Packet.

    The difference between Deny and Discard is that with Deny the sender gets a reset packet send back.


    For example if you look at the following list of rules:


    Source Destination Service Action

    Any 192.168.1.1 Any Allow

    Any 10.10.11.2 HTTP Allow

    192.168.2.0 172.16.254.3 Any Deny

    Any Any Any Deny

    Any 10.10.11.2 HTTP Deny

    Any Any DNS Allow

    192.168.2.0 10.10.11.2 HTTP Allow


    They will be placed in the following order:


    Nr Source Destination Service Action

    1 192.168.2.0 10.10.11.2 HTTP Allow

    2 192.168.2.0 172.16.254.3 Any Deny

    3 Any 10.10.11.2 HTTP Deny

    4 Any 10.10.11.2 HTTP Allow

    5 Any 192.168.1.1 Any Allow

    6 Any Any DNS Allow

    7 Any Any Any Deny



    In SonicOS case you will have other variables who can influence this, but I believe the above example brings clarity on why the Access Rules are re-ordered when a new one has been added. Of-course, you can override the auto-assigned priority and move your rules higher to obtain whatever desired behaviour you want for your flows.


    Hope that answered your request.

    Kind regards, Stan.

    Solutions Architect at SonicWall. Feel free to @Stan  if you have any questions on any product.

Sign In or Register to comment.