Hello Experts,
In the L3/L7 ACL processing order, Does it match the 'Default permit any' rule in L3 ACL or just match the configured one?
I have referred to the below document but could not see any L3 Rule which is no match but has an L7 match example
source is 10.10.10.10
destination is 1.1.1.1 URL category is Email.
there is no L3 ACL but there is L7 ACL which blocks the email category so the above packet will pass to the L7 or in L3 it will match Default any rule and bypass L7? and also what about return traffic, will that be allowed by default
does reverse traffic also get evaluated in the L3/L7 ACL?
-Pavan
By default, outbound traffic will be allowed through the firewall unless explicitly blocked by at least one L3 or L7 rule. In this example, SSH (TCP port 22) traffic will be allowed through the firewall because there are no configured L3 or L7 rules that act upon it.
Layer 3 Rules
Layer 7 Rules
In this example, SMTP traffic (TCP port 25) will be blocked by the L3 firewall, because rule 3 under layer 3 explicitly blocks it. Layer 7 rules would be ignored because the traffic has already been blocked.
Layer 3 Rules
Layer 7 Rules
The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether.
On MR, default L3 rules do not act as a bypass for L7 rules. Only allow custom rules will bypass L7 rules.
On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.
On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.
Layer 3 Rules
Layer 7 Rules
On the MR, HTTP traffic (TCP port 80) to Facebook.com will be allowed through the firewall, because rule 1 under layer 3 explicitly allows it.
Layer 3 Rules
Layer 7 Rules
i have gone through the document,
what if there is no match in L3 ACL , if traffic with port 513 and there is no matching L3 ACL rule so will it match the Default permit L3 rule and bypass L7 or it will go to L7 as no match in L3
and what about reverse traffic because the ACL we configure in MR are destination based so return traffic will be allowed by default?
what if there is no match in L3 ACL , if traffic with port 513 and there is no matching L3 ACL rule so will it match the Default permit L3 rule and bypass L7 or it will go to L7 as no match in L3
Layer 3 Rules
Layer 7 Rules
Imp : what about reverse traffic because the ACLs we configure in MR are destination-based so return traffic will be allowed by default or denied ?
The answer is right in the document.
On MR, default L3 rules do not act as a bypass for L7 rules. Only allow custom rules will bypass L7 rules.
thanks, how does it handle return traffic, does it follow the same pattern as mentioned in the document if so then for return traffic we need to create L3,L7 ACL ?
These rules are outbound rules, not inbound, so if the traffic is not blocked at the exit, the response will obviously not be blocked.