•Rule processing stops as soon as there is a match (with some caveats – see below)
•Rule logic first looks at Source, then Destination, Service, and Action. If there is a match there, rule processing stops and then further subset rule processing can happen (rules set for schedules, users/groups, or BWM) for that specific rule.
o What cannot occur is two overlapping rules for the same service for different groups. For example, if you had a FW rule that allowed FTP for Group 1, and below it a FW rule to allow FTP for Group 2, Group 2 would never be allowed to use FTP. The first rule that gets a match is the allow rule for FTP – and it only applies for Group 1. Recall that rule processing
first looks at Source, Destination and Service. As soon as there is a match, rule processing stops. Because of that, the 2nd FTP rule would never be reached.
In the following example, we’ll demonstrate how you can leverage firewall rules to allow a certain group of users to download POP email, while the rest of the organization is denied.
First, create a rule a rule from LAN > WAN (note this could be from any zone you want to enforce this policy on, not just the LAN) that allows POP traffic for your LDAP group.
NOTE: The user or group is not used in selecting which rule to apply. You should always set a rule for the service, source, and destination. In that rule, select the user or group to be
18
