Ip rule set folders – Amer Networks E5Web GUI User Manual

rules with a Goto action are then added to the main rule set, and these point to the rule set that
contains the individual rules that related to the traffic that triggers the Goto.

For example, the main IP rule set may contain many thousands of rules where the Destination
Network might be one of number of networks such as dmz_net, lan_net or wan_net. It can be
much more efficient to divide these rules based on Destination Network and place each group in
new rule sets which might be called dmz_rules, lan_rules and wan_rules.

In their place, a single IP rule is placed in the main rule set to point to these new rule sets:

Action

Src Iface

Src Net

Dest Iface

Dest Net

Service

Goto dmz_rules

any

all-nets

any

dmz_net

all_services

Goto lan_rules

any

all-nets

any

lan_net

all_services

Goto wan_rules

any

all-nets

any

wan_net

all_services

When a new connection is opened with dmz_net as the destination, cOS Core first performs a
lookup in the main table. The Goto rule triggers and the rule search continues in the rule set
called dmz_ip_rules. This example uses the destination network as the method of dividing up the
rules but another factor, such as an interface, could have been used. The diagram below
illustrates the example.

In essence, this approach is creating a two level tree structure, a technique which is used in many
situations for efficient searching of large amounts of data. The maximum number of IP rules
placed in the new rule sets created is decided on a case by case basis but it recommended that
they contain no more than one thousand rules.

3.6.5. IP Rule Set Folders

In order to help organize large numbers of entries in IP rule sets, it is possible to create IP rule set
folders. These folders are just like a folder in a computer's file system. They are created with a
given name and can then be used to contain all the IP rules that are related together as a group.

Chapter 3: Fundamentals

199