When looking up Policy-based Rules, it is the first matching rule found that is triggered.
4.3.4. Routing Table Selection
When a packet corresponding to a new connection first arrives, the processing steps are as follows
to determine which routing table is chosen:
1.
The Routing Rules must first be looked up but to do this the packet's destination interface must
be determined and this is always done by a lookup in the main routing table. It is therefore
important a match for the destination network is found or at least a default all-nets route exists
which can catch anything not explicitly matched.
2.
A search is now made for a Policy-based Routing Rule that matches the packet's
source/destination interface/network as well as service. If a matching rule is found then this
determines the routing table to use. If no Routing Rule is found then the main table will be
used.
3.
Once the correct routing table has been located, a check is made to make sure that the source IP
address in fact belongs on the receiving interface. The Access Rules are firstly examined to see
if they can provide this check (see Section 6.1, “Access Rules” for more details of this feature).
If there are no Access Rules or a match with the rules cannot be found, a reverse lookup in the
previously selected routing table is done using the source IP address. If the check fails then a
Default access rule log error message is generated.
4.
At this point, using the routing table selected, the actual route lookup is done to find the
packet's destination interface. At this point the ordering parameter is used to determine how the
actual lookup is done and the options for this are described in the next section. To implement
virtual systems, the Only ordering option should be used.
5.
The connection is then subject to the normal IP rule set. If a SAT rule is encountered, address
translation will be performed. The decision of which routing table to use is made before
carrying out address translation but the actual route lookup is performed on the altered address.
Note that the original route lookup to find the destination interface used for all rule look-ups
was done with the original, untranslated address.
6.
If allowed by the IP rule set, the new connection is opened in the NetDefendOS state table and
the packet forwarded through this connection.
4.3.5. The Ordering parameter
Once the routing table for a new connection is chosen and that table is an alternate routing table, the
Ordering parameter associated with the table is used to decide how the alternate table is combined
with the main table to lookup the appropriate route. The three available options are:
1.
Default - The default behavior is to first look up the route in the main table. If no matching
route is found, or the default route is found (the route with the destination all-nets - 0.0.0.0/0),
a lookup for a matching route in the alternate table is done. If no match is found in the alternate
table then the default route in the main table will be used.
2.
First - This behavior is to first look up the connection's route in the alternate table. If no
matching route is found there then the main table is used for the lookup. The default all-nets
route will be counted as a match in the alternate table if it exists there.
3.
Only - This option ignores the existence of any other table except the alternate table so the
alternate table is the only one used for the lookup. One application of this is to give the
administrator a way to dedicate a single routing table to one set of interfaces. Only is the
option to use when creating virtual systems since it can dedicate one routing table to a set of
interfaces.
The first two options can be regarded as combining the alternate table with the main table and
assigning one route if there is a match in both tables.
4.3.4. Routing Table Selection
Chapter 4. Routing
166
Summary of Contents for DFL-1600 - Security Appliance
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79 ...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146 ...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227 ...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241 ...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339 ...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360 ...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382 ...
Page 386: ... The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386 ...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439 ...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450 ...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488 ...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503 ...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510 ...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533 ...