Tunnel vs Prefilter Rules
Whether you configure a tunnel or prefilter rule depends on the specific type of traffic you want to match and the actions or further analysis you want to perform.
|
Characteristic |
Tunnel Rules |
Prefilter Rules |
|---|---|---|
|
Primary function |
Quickly fastpath, block, or rezone plaintext, passthrough tunnels. |
Quickly fastpath or block any other connection that benefits from early handling. |
|
Encapsulation and port/protocol criteria |
Encapsulation conditions match only plaintext tunnels over selected protocols, listed in Encapsulation Rule Conditions. |
Port conditions can use a wider range of port and protocol constraints than tunnel rules; see Port, Protocol, and ICMP Code Rule Conditions. |
|
Network criteria |
Tunnel endpoint conditions constrain the endpoints of the tunnels you want to handle; see Network Rule Conditions. |
Network conditions constrain the source and destination hosts in each connection; see Network Rule Conditions. |
|
Direction |
Bidirectional or unidirectional (configurable). Tunnel rules are bidirectional by default, so they can handle all traffic between tunnel endpoints. |
Unidirectional only (nonconfigurable). Prefilter rules match source-to-destination traffic only. Return traffic for allowed connections is also permitted. |
|
Rezone sessions for further analysis |
Supported, using tunnel zones; see Tunnel Zones and Prefiltering. |
Not supported. |