Rule preemption
Rule preemption occurs when a rule will never match traffic because a rule earlier in the evaluation order matches the traffic first. A rule's conditions govern whether it preempts other rules. In the following example, the second rule cannot block Admin traffic because the first rule allows it:
- Access control rule 1: allow Admin users
- Access control rule 2: block Admin users
Any type of rule condition can preempt a subsequent rule. The VLAN range in the first rule includes the VLAN in the second rule, so the first rule preempts the second. To block VLAN 27, you must move that rule above the one that allows VLAN 22-33.
- Access control rule 1: allow Source Network VLAN 22-33
- Access control rule 2: block Source Network VLAN 27
In the following example, Rule 1 matches any VLAN because no VLANs are configured, so Rule 1 preempts Rule 2, which attempts to match VLAN 2:
- Access control rule 1: allow Source Network 10.4.0.0/16
- Access control rule 2: allow Source Network 10.4.0.0/16, VLAN 2
A rule also preempts an identical subsequent rule where all configured conditions are the same:
- Access control rule 1: allow Source Network 10.10.10.0/24 to URL www.netflix.com
- Access control rule 2: allow Source Network 10.10.10.0/24 to URL www.netflix.com
A subsequent rule would not be preempted if any condition is different:
- Access control rule 1: allow Source Network 10.10.10.0/24 to URL www.netflix.com
- Access control rule 2: allow Source Network 10.10.11.0/24 to URL www.netflix.com