Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
George_Ellis
Collaborator
Jump to solution

In-Line rules, can they 'do nothing' as the last rule

I am confident that the answer is no for in-line rules.  You can drop or allow, but not 'do nothing, pass to the next rule'.  Of course, the standard answer is it will be in the next version...

The reason I ask is that we have a global rule that wants to use a complex service, ALL_DCE_RPC.  SecureXL stops at that rule.
With In-Line rules, you could 'hide' ALL_DCE_RPC away from the normal acceleration line.  But rules cover a large group of IPs, so will match some parameter.  But as the inline runs its course, I would want to use it as a filter and continue with the rest of the rules. 

Like I said, this I do something that is not covered in the process,  But if you know a way, please share.

2 Solutions

Accepted Solutions
Timothy_Hall
Champion
Champion

I think what you are asking is that if a top/parent rule is matched (say rule 3), and we descend into the sub-rules (3.x) and then if no explicit sub-rules match is there a way to "do nothing" and continue rulebase evaluation at top/parent rule 4?

If I understand you correctly the answer is no.  There is an implied cleanup rule at the end of the sub-layer that will either drop or accept according to the layer property and it is over at that point as a decision has been rendered, there is no way to continue with next parent/top rule right under the sub-layer.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"

View solution in original post

the_rock
Legend
Legend

Im pretty confident answer is no and Im more than confident that it will NOT be in the next version either : - ). As you said, the best you can do is set it to allow or drop. Sadly, you cant change it in below field either...

Screenshot_1.png

View solution in original post

7 Replies
Timothy_Hall
Champion
Champion

I think what you are asking is that if a top/parent rule is matched (say rule 3), and we descend into the sub-rules (3.x) and then if no explicit sub-rules match is there a way to "do nothing" and continue rulebase evaluation at top/parent rule 4?

If I understand you correctly the answer is no.  There is an implied cleanup rule at the end of the sub-layer that will either drop or accept according to the layer property and it is over at that point as a decision has been rendered, there is no way to continue with next parent/top rule right under the sub-layer.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
George_Ellis
Collaborator

That is the way I know it would work.  I was just having a hope on hope that there was a trick to bend it to my will.  Fixed in R90 probably... 😉

the_rock
Legend
Legend

R100 would be more appropriate mate ; - )

0 Kudos
the_rock
Legend
Legend

Im pretty confident answer is no and Im more than confident that it will NOT be in the next version either : - ). As you said, the best you can do is set it to allow or drop. Sadly, you cant change it in below field either...

Screenshot_1.png

PhoneBoy
Admin
Admin

There is a DCE-RCE-Protocol "Application" in Application Control that should be SecureXL friendly.
Of course, that assumes you're using Application Control on the relevant gateways...

George_Ellis
Collaborator

Maybe it is time to reevaluate AC 🙂

 

Timothy_Hall
Champion
Champion

Yes and no.  While the use of that DCE/RPC application-based object will prevent SecureXL templating from being stopped (reported by fwaccel stat) as opposed to using a simple DCE/RPC service, doing so requires APCL/URLF to be enabled in that first layer along with the Firewall blade.  Once you do that fwaccel stat will report templating "enabled" with no rule stopping it, but the actual live templating rate will always be zero as shown by fwaccel stats -s

This is a consequence of using application objects in your first layer along with the Firewall blade and why it is recommended to not invoke APCL/URLF/Content Awareness in the first layer of an ordered implementation, Firewall should be all by itself in that first layer.  For inline layers the top/parent layer should only use simple services, while APCL/URLF/Content Awareness objects are only invoked in sub-layers.

Admittedly I haven't checked this behavior since R80.40 and it may have changed in the latest releases (but I doubt it), will check today.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
0 Kudos