I'm trying to understand the precedence of firewall filters.
First, are the items within a term processed as AND or OR? So if I have a source-address and destination-address both defined, do both have to be true for the THEN clause to be executed? If not, what is the logic to determine if the term is true or false. Same question for ports.
Second: how does the above change when instead of source-address/destination-address you use prefix-list - NOT source-prefix-list or destination-prefix-list?
Last - for now as I reserve the right to ask further questions: Is there a way other than inserting syslog or counts to tell that a term was actually "hit" and acted upon?
I'll reserve the question of putting filter-lists on an interface until later unless that would be better explained here as well.
Please find below the answers in which i have tried to answer your queries-
When you define source-address and destination-address both defined then both of them have to be true at the same for the THEN clause/action to take place. The case is same when you specfiy source-port and destination-port. To summarize it is an AND operation which takes place with the attrributes that you specify in the match condition.
The above changes when you use prefix-list (not source/destination prefix-list but a general prefix-list) in a way that if any of the IP addresses you specify in the prefix list are matched with either source or destination of a packet the THEN clause/action takes effect. Hence OR operation takes place within the prefix list but AND operation is still happpening if you have specfied any other condition to match the traffic.
No, There is no way to tell if a filter was hit other than enabling syslogs or counts.
Hope above answers your queries. 🙂
Thanks, Pulkit Bhandari Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.
Thanks for the reply guys. Exactly what I was looking for! That explains some of the behavior I've been seeing with my lab setup.
So the simple explanation is that if one wants full granular control, always use source- and destination- functions and put in as many terms as possible to ensure the packet is what you were looking for.
For some of the more lenient rules, a simple port and protocol may suffice - for example allowing 80/443 traffic to leave the network. By extenstion of your explanations, putting just tcp-80 and tcp-443 in the filter without any addresses should accomplish this.
Thanks again for not only the quick response but a complete response. You both get credit for the correct sollution - not sure how to mark that though.