Rule Matching Sequence Is Incorrect

Publication Date:  2012-07-27 Views:  331 Downloads:  0
Issue Description

As shown in Figure 6-3, Vlanif 10 and Vlanif 11 are in the Trust zone. Vlanif 5 is in the Untrust zone.

Figure 6-3  Networking environment for ACL configuration


Configure as follows:

  • Configure rules for ACL 3000.

    rule 0 permit ip source 10.0.0.0 0.255.255.255
    rule 5 deny ip
  • Configure rules for ACL 3001.

    rule 0 permit ip source 11.0.0.0 0.255.255.255
    rule 5 deny ip
  • Configure NAT address pool 0 and NAT address pool 1.

    nat address-group 0 3.3.3.3 3.3.3.3
    nat address-group 1 4.4.4.4 4.4.4.4
  • Configure NAT outbound for the zone between the Trust zone and the Untrust zone and apply the corresponding ACL.

    nat outbound 3000 address-group 0
    nat outbound 3001 address-group 1
    firewall packet-filter default permit interzone trust untrust

After configuration, the test shows that the users on network segment 11.0.0.0 cannot access the users in the Untrust zone.

Alarm Information
None.
Handling Process
  1. Modify the configurations of ACL 3000.
    [USG] acl 3000
    [USG-acl-adv-3000] undo rule 5
  2. Modify the configurations of ACL 3001.
    [USG] acl 3001
    [USG-acl-adv-3001] undo rule 5
Root Cause

Run display firewall session table. Then, you can find that, when accessing the untrust zone from the trust zone, the users in network segment 10.0.0.0 use address pool 0 for NAT but the users in network segment 11.0.0.0 do not, with no content in the session table.

The reason is that the ACL matching priorities are as follows for the same inter-zone ACL:

  • The priority of the ACLs 3000–3999 is higher than that of the ACLs 2000–2999.

  • For both basic ACLs and advanced ACLs, the ACLs configured earlier have higher priorities than those configured later.

  • For different rules under the same ACL group, the rule with a small rule ID has a higher priority than the rule with a large rule ID.

Therefore, according to the preceding configurations, users in network segment 11.0.0.0 are matched by rule 5 under ACL 3000 instead of rule 0 under ACL 3001 when accessing the untrust zone from the trust zone.

Suggestions

The matching orders of ACLs are as follows:

  • The advanced ACL is prior to the basic ACL.
  • Both basic ACLs and advanced ACLs are matched according to the configuration sequence.
  • For rules in the same ACL, the rule with a smaller number is referred.

During ACL matching, if one rule is matched, the action (permit or deny) is returned and the other rules are not referred any more in this matching attempt. When all the rules are checked and no rule is matched, the system reports that no matched rule is found.

In this case, the USG processes the packet flows according to the default rules of the corresponding module. As a result, some modules allow the traffic to pass through while some modules forbid the traffic to pass through.

END