This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
_Val_
Admin
Admin
‎2020-11-05 07:45 AM
In response to Annie-CCSA

No, it is even more interesting for accept action 🙂

Imagine you have a layer with the main rule

Rule number Source Destination Services and Applications Content Action
1 Internal Networks Internet Web Services Any Inline Layer
1.1 Any Any Gambling Category Any Drop
1.2  Any Any Any  Excel Files Drop
1.3 Any Any Streaming Services Accept Log and Accounting
1.4 Any Any Any Accept Log

 

Rule 1.4 is the cleanup for the section. 

With the first package, if we cannot guess at once that it is either 1.1 or 1.3 (depends on application), all rules 1.1 to 1.4 will be conditionally matched. As at least one of them saying "Accept", we let traffic through, because we cannot make a final match on the first packet for most of it.

Now, when the data start flowing, we can make a final match. If I am trying to upload an Excel file, it will be blocked by 1.2. If it is a regular web, we will not change final match, which is 1.4. IF we suddenly detect video service, we will re-match to 1.3.

Did I confuse you yet?

0 Kudos
(1)
Who rated this post