Implicit rules

The SNS firewall is configured by default with implicit filter rules that are evaluated before manually defined filter rules. The purpose of such rules is to simplify the configuration process by allowing particular requests or access privileges. The Configuration > Security policy > Filter - NAT menu therefore does not contain all the rules that the SNS firewall applies. As such, a rule created by an administrator may never be evaluated because an opposing rule exists.

R30 | SNS | Disable implicit rules
All implicit filter rules should be disabled, except the rule "Allow mutual access between the members of a firewall cluster (HA)". This operation can be performed in Configuration > Security policy > Implicit rules.

To avoid losing administration powers, new filter rules must be created before disabling the corresponding implicit rules. Depending on requirements, these rules must allow HTTPS, NSRPC or SSH traffic between the firewall and groups defined in the chapter Configuring administration IP addresses on the interfaces defined in the chapter Dedicated administration interface.
Furthermore, to avoid degrading the performance of some features on the SNS firewall, new filter rules must be created before disabling implicit rules on options and parameters that are in use. For ESP traffic for example, the "Status tracking (stateful)" option is necessary to avoid degrading IPsec VPN performance.

The NSRPC monitor filter command makes it possible to display all the filter rules that were applied. In this case, disabling implicit traffic from hosted services does not block the DNS requests sent by the SNS firewall. Applying recommendation R26 limits such traffic.