Implicit rules

The firewall is configured by default with implicit filter rules that are evaluated before manually defined filter rules. The purpose of such rules is to simplify the configuration process by allowing particular requests or access privileges. The Security policy > Filter - NAT menu therefore does not contain all the rules that the firewall applies. As such, a rule created by an administrator may never be evaluated because an opposing rule exists.

R30 | Disable implicit rules
All implicit filter rules should be disabled, including those that apply to outgoing traffic generated from services hosted by the firewall. This operation can be performed in Security policy > Implicit rules.

WARNING
To avoid losing administration powers, new filter rules must be created before disabling the corresponding implicit rules. Depending on requirements, these rules must allow HTTPS, NSRPC or SSH traffic between the firewall and groups defined in chapter Configuring administration IP addresses on the interfaces defined in chapter Dedicated administration interface.

INFORMATION
The NSRPC monitor filter command makes it possible to display all the filter rules that were applied. In this case, disabling implicit traffic from hosted services does not block the DNS requests sent by the SNS appliance . Applying recommendation R26 limits such traffic.