Create a firewall bypass rule

There is a special type of firewall rule called a bypass rule. It is designed for media intensive protocols where filtering may not be desired. You create a bypass rule by selecting "bypass" as the rule's "Action" when creating a new firewall rule.

The "bypass" action on firewall rules differs from a Force Allow rule in the following ways:

  • Packets matching bypass will not be processed by intrusion prevention rules.
  • Unlike Force Allow, bypass will not automatically allow the responses on a TCP connection when firewall stateful configuration is on (see below for more information).
  • Some bypass rules are optimized, in that traffic will flow as efficiently as if the agent/appliance was not there (see below for more information)

Using bypass when firewall stateful configuration is on

If you plan to use a bypass rule to skip intrusion prevention rule processing on incoming traffic to TCP destination port N and firewall stateful configuration is set to perform stateful inspection on TCP, you must create a matching outgoing rule for source port N to allow the TCP responses. (This is not required for Force Allow rules because force-allowed traffic is still processed by the stateful engine.)

All bypass rules are unidirectional. Explicit rules are required for each direction of traffic.

Optimization

The bypass rule is designed to allow matching traffic through at the fastest possible rate. Maximum throughput can be achieved with (all) the following settings:

  • Priority: Highest
  • Frame Type: IP
  • Protocol: TCP, UDP, or other IP protocol. (Do not use the "Any" option.)
  • Source and Destination IP and MAC: all "Any"
  • If the protocol is TCP or UDP and the traffic direction is "incoming", the destination ports must be one or more specified ports (not "Any"), and the source ports must be "Any".
  • If the protocol is TCP or UDP and the traffic direction is "outgoing", the source ports must be one or more specified ports (Not "Any"), and the destination ports must be "Any".
  • Schedule: None.

Logging

Packets that match the bypass rule will not be logged. This is not a configurable option.