Filter
Top Products
18
• Rule processing stops as soon as there is a match (with some caveats – see below)
• Rule logic first looks at Source, then Destination, Service, and Action. If there is a match there, rule
processing stops and then further subset rule processing can happen (rules set for schedules,
users/groups, or BWM) for that specific rule.
o What cannot occur is two overlapping rules for the same service for different groups. For
example, if you had a FW rule that allowed FTP for Group 1, and below it a FW rule to allow
FTP for Group 2, Group 2 would never be allowed to use FTP. The first rule that gets a
match is the allow rule for FTP – and it only applies for Group 1. Recall that rule processing
first looks at Source, Destination and Service. As soon as there is a match, rule processing
stops. Because of that, the 2
nd
FTP rule would never be reached.
In the following example, we’ll demonstrate how you can leverage firewall rules to allow a certain group of
users to download POP email, while the rest of the organization is denied.
First, create a rule a rule from LAN > WAN (note this could be from any zone you want to enforce this policy
on, not just the LAN) that allows POP traffic for your LDAP group.
NOTE: The user or group is not used in selecting which rule to apply. You should always set a rule for the
service, source, and destination. In that rule, select the user or group to be