Service precedence
56
3
If you are using the HTTP proxy service because you want to use WebBlocker,
follow the procedure in the next section. Otherwise, enable HTTP proxy
properties according to your security policy preferences.
For detailed descriptions of HTTP proxy options, see the
Reference Guide
.
4
Click the
Safe Content
tab.
5
Add or remove properties according to your security policy preferences. Click
OK
.
Service precedence
Precedence is generally given to the most specific service and descends to the most
general service. However, exceptions exist. There are three different precedence
groups for services:
• The “Any” service (see the Online Help system for information about the
“Any” packet filter service). This group has the highest precedence.
• IP and ICMP services and all TCP/UDP services that have a port number
specified. This group has the second highest precedence and is the largest of the
three.
• “Outgoing” services that do not specify a port number (they apply to any port).
This group includes Outgoing TCP, Outgoing UDP, and Proxy.
“Multiservices” can contain subservices of more than one precedence group.
“Filtered-HTTP” and “Proxied-HTTP,” for example, contain both a port-specific TCP
subservice for port 80 as well as a nonport subservice that covers all other TCP
connections. When precedence is being determined, individual subservices are given
precedence according to their group (described previously) independent of the other
subservices contained in the multiservice.
Precedence is determined by group first. Services from a higher precedence group
always have higher precedence than the services of a lower-precedence group,
regardless of their individual settings (for example, the lowest precedence “Any”
service will take precedence over the highest precedence Telnet service).
The precedences of services that are in the same precedence group are ordered from
the most specific services (based on source and destination targets) to the least
specific service. The method used to sort services is based on the specificity of targets,
from most specific to least specific. The following order is used:
Zip files are denied when you deny Java or ActiveX applets, because zip files
often contain these applets.
From
To
Rank
IP
IP
0
List
IP
1
IP
List
2
List
List
3
Summary of Contents for Firebox FireboxTM System 4.6
Page 1: ...WatchGuard Firebox System User Guide Firebox System 4 6 ...
Page 16: ...6 ...
Page 20: ...LiveSecurity broadcasts 10 ...
Page 44: ...LiveSecurity Event Processor 34 ...
Page 52: ...Defining a Firebox as a DHCP server 42 ...
Page 68: ...Service precedence 58 ...
Page 78: ...Configuring a service for incoming static NAT 68 ...
Page 92: ...Establishing an OOB connection 82 ...
Page 94: ...84 ...
Page 112: ...HostWatch 102 ...
Page 118: ...Working with log files 108 ...
Page 130: ...120 ...
Page 158: ...Configuring debugging options 148 ...