Skip to main content

 

 

Cisco Defense Orchestrator

Shadow Rules - moved content into Shadowed Rules

A network policy with shadowed rules is one in which at least one rule in the policy will never trigger because a rule that precedes it prevents the packet from being evaluated by the shadowed rule.

For example, consider these network objects and network rules in the "example" network policy:

object network 02-50
 range 10.10.10.2 10.10.10.50
object network 02-100
 range 10.10.10.2 10.10.10.100

access-list example extended deny ip any4 object 02-50 
access-list example extended permit ip host 10.10.10.35 object 02-50 
access-list example extended permit ip any4 object 02-100 

No traffic will be evaluated by this rule,
access-list example extended permit ip host 10.10.10.35 object 02-50
because the previous rule,
access-list example extended deny ip any4 object 02-50
denies any ipv4 address from reaching any address in the range 10.10.10.2 - 10.10.10.50.

This is how CDO displays the rules described in the "example" network policy above:

example_policy_shadow.png

Notice that the rule on line 1 is marked with a shadow warning badge shadow_warning.png because it is "shadowing" a rule in the policy. The action for the rule on line 2 displays a shadow badge shadow_badge.png and is grayed-out because it is entirely shadowed by another rule in the policy.

The last rule in this example can only be triggered some of the time. This is a partially shadowed rule. Network traffic from any IPv4 address trying to reach an IP address in the range 10.10.10.2-10.10.10.50 would never be evaluated because it would have already been denied by the first rule; however, any IPv4 address attempting to reach an address in the range 10.10.10.51-10.10.10.100 would be evaluated by the last rule and would be permitted.

Caution: CDO does not apply a shadow badge to partially shadowed rules.

 

Related Topics

Resolving Shadow Rule Issues

  • Was this article helpful?