Moving Access Control Rules to a Prefilter Policy
You can move access control rules from an access control policy to the associated non-default prefilter policy.
You must first apply a user-defined prefilter policy to the access control policy. The access control rules cannot be moved to the default prefilter policy because the default prefilter policy cannot have rules.
Before you begin
Note the following conditions before you proceed:
-
When moving an access control rule to a prefilter policy the layer 7 (L7) parameters in the access control rule cannot be moved. The L7 parameters are dropped during the operation.
-
The comments in the access control rule configuration are lost after moving the rule. However, a new comment is added in the moved rule mentioning the source access control policy.
-
You cannot move access control rules with Monitor set as the Action parameter.
-
The Action parameter in the access control rule is changed to a suitable action in the prefilter rule when moved. To know what each action in the access control rule maps to, see the following table:
Action in the access control rule
Action in the prefilter rule
Allow
Analyze
Block
Block
Block with reset
Block
Interactive Block
Block
Interactive Block with reset
Block
Trust
Fastpath
-
Similarly, based on the action configured in the access control rule, the logging configuration is set to an appropriate setting after the rule is moved, as mentioned in the following table.
Action in the access control rule
Enabled Logging configurations in the prefilter rule
Allow
None of the check boxes are checked.
Block
-
Log at Beginning of Connection
-
Event Viewer
-
Syslog Server
-
SNMP Trap
Block with reset
-
Log at Beginning of Connection
-
Event Viewer
-
Syslog Server
-
SNMP Trap
Interactive Block
-
Log at Beginning of Connection
-
Event Viewer
-
Syslog Server
-
SNMP Trap
Interactive Block with reset
-
Log at Beginning of Connection
-
Event Viewer
-
Syslog Server
-
SNMP Trap
Trust
-
Log at Beginning of Connection
-
Log at End of Connection
-
Event Viewer
-
Syslog Server
-
SNMP Trap
-
-
While moving rules from the source policy, if another user modifies those rules, you will see get a message. You may continue with the process after refreshing the page.
Procedure
Step 1 | Do one of the following:
|
Step 2 | From the Place Rules drop-down list, choose where you want to position the moved rules:
|
Step 3 | Click Move. |
What to do next
-
Deploy configuration changes.