Home > Articles


  • Print
  • + Share This
This chapter is from the book

Rule Processing Order

As said earlier, the rule base is processed in order. However, other things happen in the security policy besides checking your defined rules. This is the order of operations:

  1. Anti-spoofing checks

  2. Rule base

  3. Network Address Translation

When you take into account the FireWall-1 global properties, you end up with the following order:

  1. Anti-spoofing checks

  2. "First" Implicit Rules

  3. Explicit Rules (except for the final rule)

  4. "Before Last" Implicit Rules

  5. Last Explicit Rule (should be cleanup rule)

  6. "Last" Implicit Rules

  7. Network Address Translation

When we look at Network Address Translation (NAT) in Chapter 8, "Network Address Translation," you’ll see how it changes the source and/or destination addresses of the packet. Because NAT happens after the rule base is consulted, your rules will refer to the translated address in many cases. If you are using the NAT properties of the network object to implement NAT (also called automatic NAT), this is taken care of for you.

Because anti-spoofing checks are done before anything else, you will find that if the topology is defined incorrectly, no conversation will occur regardless of the rule base. A log entry will be made to this effect.

  • + Share This
  • 🔖 Save To Your Account