Firewall rule actions and priorities

In this article:

Firewall rule actions

Firewall Rules can take the following actions:

  • Allow: Explicitly allows traffic that matches the rule to pass, and then implicitly denies everything else.
  • Bypass: Allows traffic to bypass both firewall and Intrusion Prevention analysis. Use this setting only for media-intensive protocols. A Bypass Rule can be based on IP, port, traffic direction, and protocol.
  • Deny: Explicitly blocks traffic that matches the rule.
  • Force Allow: Forcibly allows traffic that would otherwise be denied by other rules.
    Traffic permitted by a Force Allow Rule will still be subject to analysis by the Intrusion Prevention module.
  • Log only: Traffic will only be logged. No other action will be taken.

More about "Allow" Rules

Allow rules have two functions:

  1. Permit traffic that is explicitly allowed.
  2. Implicitly deny all other traffic.
Traffic that is not explicitly allowed by an Allow rule is dropped, and gets recorded as an Out of "allowed" Policy Firewall Event.

Commonly applied Allow rules include:

  • ARP: Permits incoming Address Resolution Protocol (ARP) traffic .
  • Allow solicited TCP/UDP replies: Ensures that the host computer is able to receive replies to its own TCP and UDP messages. This works in conjunction with TCP and UDP stateful configuration.
  • Allow solicited ICMP replies: Ensures that the host computer is able to receive replies to its own ICMP messages. This works in conjunction with ICMP stateful configuration.

More about "Bypass" Rules

The Bypass rule is designed for media-intensive protocols where filtering by the Firewall or Intrusion Prevention modules is neither required nor desired. Bypass rules have the following noteworthy characteristics:

A packet that matches the conditions of a Bypass rule:

  • is not subject to conditions of Stateful Configuration settings.
  • bypasses both Firewall and Intrusion Prevention analysis.

Since stateful inspection is not applied to bypassed traffic, bypassing traffic in one direction does not automatically bypass the response in the other direction. Because of this, bypass rules should always be created and applied in pairs, one rule for incoming traffic and another for outgoing.

Bypass Rules Events are not recorded. This is not a configurable behavior.
If the Deep Security Manager uses a remote database that is protected by a Deep Security Agent, Intrusion Prevention-related false alarms may occur when the Deep Security Manager saves Intrusion Prevention rules to the database. The contents of the rules themselves could be misidentified as an attack. One of the workarounds for this is to create a Bypass rule for traffic from the Deep Security Manager to the database host.

Default Bypass Rule for Deep Security Manager Traffic

The Deep Security Manager automatically implements a Priority 4 Bypass Rule that opens incoming TCP traffic on the agent's listening port for heartbeats on computers running Deep Security Agent. Priority 4 ensures that this Rule is applied before any Deny rule, and Bypass guarantees that the traffic is never impaired. The Bypass Rule is not explicitly shown in the Firewall rule list because the rule is created internally.

This rule, however, accepts traffic from any IP address and any MAC address. To harden the agent's security on this port, you can create an alternative, more restrictive, Bypass Rule for this port. The Agent will actually disable the default Manager traffic rule in favor of the new custom rule provided it has these characteristics:

The custom rule must use the above parameters to replace the default rule. Ideally, the IP address or MAC address of the actual Manager should be used as the packet source for the rule.

More about "Force Allow" Rules

The Force Allow option excludes a sub-set of traffic that could otherwise have been covered by a deny action. Its relationship to other actions is illustrated below. Force allow has the same effect as a Bypass rule. However, unlike Bypass, traffic that passes the firewall because of this action is still subject to inspection by the Intrusion Prevention module. The Force allow action is particularly useful for making sure that essential network services are able to communicate with the DSA computer. Generally, Force Allow rules should only be used in conjunction with Allow and rules to allow a subset of traffic that has been prohibited by the Allow and Deny rules. Force Allow rules are also required to allow unsolicited ICMP and UDP traffic when ICMP and UDP stateful are enabled.

When using multiple Managers in a multi-node arrangement, it may be useful to define an IP list for these servers, and then create a custom Manager traffic rule with that list.

Firewall rule sequence

Packets arriving at a computer get processed first by Firewall Rules, then the Firewall Stateful Configuration conditions, and finally by the Intrusion Prevention Rules.

This is the order in which Firewall Rules are applied (incoming and outgoing):

  1. Firewall Rules with priority 4 (highest)
    1. Bypass
    2. Log Only (Log Only rules can only be assigned a priority of 4 (highest))
    3. Force Allow
    4. Deny
  2. Firewall Rules with priority 3 (high)
    1. Bypass
    2. Force Allow
    3. Deny
  3. Firewall Rules with priority 2 (normal)
    1. Bypass
    2. Force Allow
    3. Deny
  4. Firewall Rules with priority 1 (low)
    1. Bypass
    2. Force Allow
    3. Deny
  5. Firewall Rules with priority 0 (lowest)
    1. Bypass
    2. Force Allow
    3. Deny
    4. Allow (Note that an Allow rule can only be assigned a priority of 0 (lowest))
If you have no Allow rules in effect on a computer, all traffic is permitted unless it is specifically blocked by a Deny rule. Once you create a single Allow rule, all other traffic is blocked unless it meets the conditions of the Allow rule. There is one exception to this: ICMPv6 traffic is always permitted unless it is specifically blocked by a Deny rule.

Within the same priority context, a Deny rule will override an Allow rule, and a Force Allow rule will override a Deny rule. By using the rule priorities system, a higher priority Deny rule can be made to override a lower priority Force Allow rule.

Consider the example of a DNS server policy that makes use of a Force Allow rule to allow all incoming DNS queries. Creating a Deny rule with a higher priority than the Force Allow rule lets you specify a particular range of IP addresses that must be prohibited from accessing the same public server.

Priority-based rule sets allow you set the order in which the rules are applied. If a Deny rule is set with the highest priority, and there are no Force Allow rules with the same priority, then any packet matching the Deny rule is automatically dropped and the remaining rules are ignored. Conversely, if a Force Allow rule with the highest priority flag set exists, any incoming packets matching the Force Allow rule will be automatically allowed through without being checked against any other rules.

A note on logging

Bypass Rules will never generate an Event. This is not configurable.

Log-only rules will only generate an Event if the packet in question is not subsequently stopped by either:

  • a Deny rule, or
  • an Allow rule that excludes it.

If the packet is stopped by one of those two rules, those rules will generate the Event and not the Log-only rule. If no subsequent rules stop the packet, the Log-only rule will generate an Event.

How firewall rules work together

Deep Security Firewall Rules have both a rule action and a rule priority. Used in conjunction, these two properties allow you to create very flexible and powerful rule-sets. Unlike rule-sets used by other firewalls, which may require that the rules be defined in the order in which they should be run, Deep Security Firewall Rules are run in a deterministic order based on the rule action and the rule priority, which is independent of the order in which they are defined or assigned.

Rule Action

Each rule can have one of four actions.

  1. Bypass: if a packet matches a bypass rule, it is passed through both the firewall and the Intrusion Prevention Engine regardless of any other rule (at the same priority level).
  2. Log Only: if a packet matches a log only rule it is passed and the event is logged.
  3. Force Allow: if a packet matches a force allow rule it is passed regardless of any other rules (at the same priority level).
  4. Deny: if a packet matches a deny rule it is dropped.
  5. Allow: if a packet matches an allow rule, it is passed. Any traffic not matching one of the allow rules is denied.

Implementing an ALLOW rule will cause all other traffic not specifically covered by the Allow rule to be denied:

A DENY rule can be implemented over an ALLOW to block specific types of traffic:

A FORCE ALLOW rule can be placed over the denied traffic to allow certain exceptions to pass through:

Rule priority

Rule actions of type deny and force allow can be defined at any one of 5 priorities to allow further refinement of the permitted traffic defined by the set of allow rules. Rules are run in priority order from highest (Priority 4) to lowest (Priority 0). Within a specific priority level the rules are processed in order based on the rule action (force allow, deny, allow, log only).

The priority context allows a User to successively refine traffic controls using deny/force allow combinations to achieve a greater flexibility. Within the same priority context, an allow rule can be negated with a deny rule, and a deny rule can be negated by a force allow rule.

Rule Actions of type allow run only at priority 0 while rule actions of type log only run only at priority 4.

Putting rule action and priority together

Rules are run in priority order from highest (Priority 4) to lowest (Priority 0). Within a specific priority level the rules are processed in order based on the rule action. The order in which rules of equal priority are processed is as follows:

  • Bypass
  • Log Only
  • Force Allow
  • Deny
  • Allow
Remember that Rule Actions of type allow run only at priority 0 while rule actions of type log only run only at priority 4.
It is important to remember that if you have a force allow rule and a deny rule at the same priority the force allow rule takes precedence over the deny rule and therefore traffic matching the force allow rule will be permitted.