[Vigor3900] The mechanism and policy of Firewall Rules

Support Model : Vigor2960Vigor300BVigor3900
  • Tags :

There are three different types of action on Vigor3900 Firewall. This note will explain the difference between them.

When receiving a packet, the Firewall of Vigor 3900 check in the order of IP Filter Group, to see if the packet matches any Filter Rules in IP Filter. Which Filter Groups/Rules should check first is depends on the order of the Filter Groups/Rules created. If this packet doesn't match any Filter Rule in IP Filter, it will move on to check Application Filter, URL/Web Category Filter and then QQ Filter. If there is no matched Filter Rule either, the Default Policy will be applied.

If the packet matches a Filter Rule in IP Filter, the action of that Filter Rule will be applied. And there are three possible actions:

  • Accept/Block Immediately
  • Accept/Block if No Further Match while Next Group is selected
  • Accept/Block if No Further Match while Next Group is left blank

Accept/Block Immediately

Once the packet matches a Filter Rule of which the action is "Accept/Block Immediately", it will be accepted or blocked by the router immediately. And all the rest of the Filter Rules will be ignored.

 

Accept/Block if No Further Match while Next Group is selected

  1. If the packet matches a Filter Rule of which the action is "Accept/Block if No Further Match" and there is "a specific group selected as Next Group", the router will check the Filter Rules in that specific group in order to see if there is any rule matched.
  2. Once the router find a matched Filter Rule in that group, the action of that newly matched Filter Rule will be applied, and the rest of the Filter Rules in the Group will be ignored.
  3. If the packet doesn't match any Filter Rule in the Next Group, then the router will move on to check Application Filter, URL/WCF Filter, and then QQ Filter to check if there is any Filter Rule matched.
  4. Once the router find a matched Filter Rule in the other filters, the action of that newly matched Filter Rule will be applied.
  5. If the packet doesn't match any Filter Rule in other filters, then it will be accepted or blocked according to the action of the original matched Filter Rule.

 

Accept/Block if No Further Match while Next Group is left blank

  1. If the packet matches a Filter Rule of which the action is "Accept/Block if No Further Match while the Next Group is left blank", router will move on to Application Filter, URL/Web Category Filter and then QQ Filter to check if there is any Filter Rule matched.
  2. Once the router find a matched Filter Rule in the other filters, the action of that newly matched Filter Rule will be applied.
  3. If the packet doesn't match any Filter Rule in other filters, then it will be accepted or blocked according to the action of the original matched Filter Rule.
   
Was this article helpful ?
71[Vigor3900] The mechanism and policy of Firewall Rules has been viewed------ 71 ------times.