Guidelines for Using the flowbits Keyword

Note the following when using the flowbits keyword:

• When using the setx operator, the specified state can only belong to the specified group, and not to any other group.

• You can define the setx operator multiple times, specifying different states and the same group with each instance.

• When you use the setx operator and specify a group, you cannot use the set, toggle, or unset operators on that specified group.

• The isset and isnotset operators evaluate for the specified state regardless of whether the state is in a group.

• During intrusion policy saves, intrusion policy reapplies, and access control policy applies (regardless of whether the access control policy references one intrusion policy or multiple intrusion policies), if you enable a rule that contains the isset or isnotset operator without a specified group, and you do not enable at least one rule that affects flowbits assignment (set, setx, unset, toggle) for the corresponding state name and protocol, all rules that affect flowbits assignment for the corresponding state name are enabled.

• During intrusion policy saves, intrusion policy reapplies, and access control policy applies (regardless of whether the access control policy references one intrusion policy or multiple intrusion policies), if you enable a rule that contains the isset or isnotset operator with a specified group, all rules that affect flowbits assignment (set, setx, unset, toggle) and define a corresponding group name are also enabled.