Prefilter policy rule order

In a prefilter policy, tunnel rules, prefilter rules, and a default action handle network traffic:

• Tunnel and prefilter rules—First, rules in a prefilter policy handle traffic in the order you specify. Tunnel rules match specific tunnels only. Prefilter rules have a wider range of constraints.

  Rules are match in top-down order, first match wins. Thus, rule order is critical. For example, you might want to block an entire subnet except for two specific IP addresses on the subnet. In that case:

  • The first rule should specify the two allowable IP addresses as the source network, and the rule action would be Analyze. Connections from these two IP addresses would match this rule, and the next rule would not be processed.

  • The next rule should specify the entire subnet as the source network, with Block for the rule action.

  For more information, see Tunnel vs prefilter rules.

• Default action (tunnels only)—If a tunnel does not match any rules, the default action handles it. The default action can block these tunnels or continue access control on their individual encapsulated connections (Analyze action).

  There is no default action for nonencapsulated traffic. If a nonencapsulated connection does not match any prefilter rules, the system continues with access control. These connections might subsequently be blocked by other policies, or ultimately allowed.

Changing Rule Order

If you need to change rule order, you can:

• Drag and drop the rule to the right location.

• Right click the rule and Cut, then find the right location, right click, and select Paste Above or Paste Below.

• Edit the rule and use the Insert control to change its location.