Unsupported content

 

This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Sorting rules for firewalls

This topic describes how sorting rules for firewalls are considered for BMC Network Automation. Firewalls function on the first match principle, so more specific rules need to appear in the device configuration before the less specific rules, to ensure the effectiveness of the more specific rules.

Order-sensitive firewall rules

Not all pairs of rules are order-sensitive; some rules are completely unrelated and if such rules constitute a pair, they can occur in any order.

A pair of rules is order-sensitive when:

  • one is a permit rule and the other is a deny rule. If you are considering 2 permit rules or 2 deny rules, where one rule is more specific than the other, the more specific rule is redundant.
  • the two rules overlap such, that the source and destination of one rule is completely contained within the source and destination of the other.

Firewall rule ordering criteria

The following sections describe the criteria for ordering the firewall sorting rules.

Scenarios for rule overlap

The following assumptions are made in the rule overlap scenarios:

  • The network administrator intends for both of the rules to be effective in each scenario.
  • The transport protocol is the same for the rules being considered. If the transport protocol is not equal, order does not matter.
  • The rules belong to the same access list
  • The logical operator preceding the destination port one exists is always eq.
  • The fact that the firewall implicitly denies traffic that does not match the explicitly stated firewall rules is not used.

The following examples include scenarios where two firewall rules overlap:

  1. Source of R1 is completely contained within the source of R2 AND the destination of R1 is completely contained within the destination of R2.

    For example:
    R1: deny ip host 10.1.1.1 host 12.1.1.1
    R2: permit ip 10.1.1.0/24 12.1.1.0/24

    Criterion 1: If R1 is a subset of R2, then R1 comes before R2.
  2. Source of R2 is completely contained within the source of R1 AND the destination of R2 is completely contained within the destination of R1.

    For example:
    R1: deny ip host 10.1.1.0/24 12.1.1.0/24
    R2: permit ip host 10.1.1.2 12.1.1.2

    Criterion 2: If R2 is a subset of R1, then R2 comes before R1.
  3. Source of R1 is completely contained within the source of R2 AND destination of R2 is completely contained within the destination of R1.

    For example:
    R1: permit ip host 10.1.1.1 12.1.1.0/24
    R2: deny ip 10.1.1.0/24 12.1.1.1

    Note

     In this case is not possible to guess if the network admin intended for rule with more specific source to be more specific or the rule with the more specific destination to be more specific. You are going to designate the rule with the more specific destination as more specific. You should be aware of this when you create firewall rules.



    Criterion 3: If the source of R1 is a subset of the source of R2, and the destination of R2 is a subset of R1, then R2 comes before R1.
  4. Source of R2 is completely contained within the source of R1 AND destination of R1 is completely contained within the destination of R2.

    For example:
    R1:permit ip 10.1.1.0/24 host 12.1.1.1
    R2:deny ip 10.1.1.1 12.1.1.0/24

    Note

     In this case is not possible to guess if the network administrator intended for rule with more specific source to be more specific or the rule with the more specific destination to be more specific. You are going to designate the rule with the more specific destination as more specific. You should be aware of this when you create firewall rules.

     

    Criterion 4: If the source for R2 is a subset of the source for R1, and the destination for R1 is a subset of the destination for R2, then R1 comes before R2.
  5. In any of the above scenarios, if the two rules are equal, as in R2 is a subset of R1 and R1 is a subset of R2, the deny rule is considered more specific, because a network administrator would probably prefer denying access than permitting unintended access.

    Criterion 5: If R2 is a subset of R1 and R1 is a subset of R2, then the deny rule comes before the permit rule.

Considering the destination port and port range

The destination port and port range affect rule ordering only if the source and destination of order sensitive rules are the same.

Criterion 6: If R1 and R2 have the same source and destination, R1 has a destination port, R2 does not have a destination port, then R1 comes before R2.

Criterion 7: If R1 and R2 have the same source and destination, both R1 and R2 have unique destination ports, the rule with the lower destination port comes before the rule with the higher destination port.

Criterion 8: If R1 and R2 have the same source and destination, R1 destination port (23) or port range (23-25) is completely contained by R2 (20-25), then R1 comes before R2.

Criterion 9: If R1 and R2 have the same source and destination, R1 destination port range (18-23) partially overlaps with R2 (20-25), then R1 comes before R2 because its minimum port number (18) is lower than the minimum port number of R2 (20).

Disabling sorting of rules for firewalls

BMC Network Automation automatically sorts rules for firewalls by default. You can disable the sorting of rules for firewalls by altering the value of the parameter, vdcFirewallRuleSortingEnabled in the global.properties file.

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Comments