Amer Networks E5Web GUI User Manual

•

Service

The Service in an IP rule is also important because if an Application Layer Gateway object is to be
applied to traffic then it must be associated with a service object (see Section 6.2, “ALGs”).

When an IP rule is triggered by a match then one of the following Actions can occur:

Allow

The packet is allowed to pass. As the rule is applied to only the opening of a
connection, an entry in the "state table" is made to record that a connection is open.
The remaining packets related to this connection will pass through the cOS Core
"stateful engine".

FwdFast

Let the packet pass through the Clavister Security Gateway without setting up a
state for it in the state table. This means that the stateful inspection process is
bypassed and is therefore less secure than Allow or NAT rules. Packet processing
time is also slower than Allow rules since every packet is checked against the entire
rule set.

NAT

This functions like an Allow rule, but with dynamic address translation (NAT) enabled
(see Section 7.2, “NAT” in Chapter 7, Address Translation for a detailed description).

SAT

This tells cOS Core to perform static address translation. A SAT rule always requires a
matching Allow, NAT or FwdFast IP rule further down the rule set (see Section 7.4,
“SAT” in Chapter 7, Address Translation for a detailed description).

Drop

This tells cOS Core to immediately discard the packet. This is an "impolite" version of
Reject in that no reply is sent back to the sender. It is often preferable since it gives a
potential attacker no clues about what happened to their packets.

Reject

This acts like Drop but will return a TCP RST or ICMP Unreachable message, informing
the sending computer that the packet was dropped. This is a "polite" version of the
Drop IP rule action.

Reject is useful where applications that send traffic wait for a timeout to occur before
realizing that the traffic was dropped. If an explicit reply is sent indicating that the
traffic was dropped, the application need not wait for the timeout.

Note: Some actions alter TCP sequence numbers

In some situations with certain types of network equipment, the TCP sequence number
needs to remain the same as data traffic traverses the security gateway.

It is therefore important to know that only the FwdFast action guarantees that the TCP
sequence number is unaltered. Other IP rule actions, such as Allow and NAT change the
TCP sequence number as traffic flows through cOS Core.

Logging

When an IP Rule or IP Policy object is created the default is that logging is enabled. This means
that a log message is generated whenever either is triggered. This behavior can be altered by
disabling logging on the individual rule or policy object.

Bi-directional Connections

A common mistake when setting up IP Rules is to define two rules, one rule for traffic in one
direction and another rule for traffic coming back in the other direction. In fact nearly all IP Rules

Chapter 3: Fundamentals

196