Implicit rules

The SNS firewall is configured by default with implicit filter rules that are evaluated before manually defined filter rules. The purpose of such rules is to simplify the configuration process by allowing particular requests or access privileges. To find out more on available implicit rules, refer to the section on Implicit rules in the SNS v4.3 LTSB user guide.

The Configuration > Security policy > Filter - NAT menu therefore does not contain all the rules that the SNS firewall applies. As such, a rule created by an administrator may never be evaluated because an opposing rule exists.

R30 | SNS | Disable implicit rules
We recommend disabling all implicit filtering rules, except the rule "Allow mutual access between the members of a firewall cluster (HA cluster)" in a high availability (HA) firewall cluster. Implicit rules can be disabled in Configuration > Security policy > Implicit rules.

WARNING
To avoid losing administration powers, new filter rules must be created before disabling the corresponding implicit rules. Depending on requirements, these rules must allow HTTPS, NSRPC or SSH traffic between the SNS firewall and groups defined in the chapter Configuring administration IP addresses on the interfaces defined in the chapter Dedicated web administration interface.
In addition, to avoid downgrading the performance of certain SNS firewall features, new filter rules have to be created before disabling the implicit rules of the options and parameters in use. For example, for ESP traffic, the "Status tracking (stateful)" option is essential in preventing the downgrade of IPsec VPN performance.

INFORMATION
The NSRPC monitor filter command makes it possible to display all the filter rules that were applied. In this case, disabling implicit traffic from hosted services does not block the DNS requests sent by the SNS firewall. Applying recommendation R26 limits such traffic.