Technical Tip: Iprope policies group

Description

The iprope table can be seen as an internal representation of the firewall policies defined by the administrators.

All entries are organized in groups of different functions.

When an entry from a group get matched, no more entries from the group are checked.

Entries in the group are inspected from top to bottom, each entry has different matching criteria based on source/destination IP addresses, ports, and protocol.

If the packet is matching the entry criteria, an action is taken with multiple scenarios, otherwise, the next entry from the group is checked.

Example:

# diagnose firewall iprope list 100002 <----- This will list static SNAT policies.

# diagnose firewall iprope list 100000 <----- This will list VIP firewall policies.

# diagnose firewall iprope list 100004 <----- This will list normal firewall policy -- forward policies.

One example is:

Policy Group 00100004

policy index=1 uuid_idx=14 action=accept

flag (8050108): redir nat master use_src pol_stats

flag2 (4000): resolve_sso

flag3 (20): schedule(always)

cos_fwd=255 cos_rev=255

group=00100004 av=00004e20 au=00000000 split=00000000

host=0 chk_client_info=0x0 app_list=0 ips_view=0

misc=0 dd_type=0 dd_mode=0

zone(1): 3 -> zone(1): 6

source(1): 10.0.1.0-10.0.1.255, uuid_idx=12,

dest(1): 192.0.2.0-192.0.2.255, uuid_idx=13,

service(1):

[0:0x0:0/(0,65535)->(0,65535)] helper:auto

For each entry, in case of a match there is an action:

- Drop the packet (action= drop).

- Redirect the packet to some processing logic (action= redirect).

- Accept the packet (action= accept).

There are no ‘implicit’ iprope entries unlike the implicit deny firewall policy.

Both entries and groups have identifiers: the group has a group number, and all entries are called policies and have an index.

The following table shows iprope groups sorted by group number.

Default entries may be provided if the group exists with default values with a factory reset configuration.