About Rules and Rulesets
When you configure a proxy policy or ALG (application layer gateway), you must select a proxy action to use. You can use either a predefined proxy action or create a new proxy action. Each proxy action contains rules. Rules are sets of criteria to which a proxy compares traffic.
A rule consists of a type of content, pattern, or expression, and the action of the Firebox when a component of the packet’s content matches that content, pattern, or expression. Rules also include settings for when the Firebox sends alarms or creates a log entry. A ruleset is a group of rules based on one feature of a proxy such as the content types or filenames of email attachments.
Your Firebox configuration includes default sets of rules in proxy actions used by each proxy policy. Separate sets of rules are provided for clients and servers, to protect both your trusted users and your public servers. You can use the default configuration for these rules, or you can customize them for your particular business purposes. You cannot modify or delete predefined proxy actions. If you want to make changes to a predefined proxy action, you can clone it a new proxy action and then make the necessary changes in the new proxy action.
About Working with Rules and Rulesets
When you edit a proxy action, you can see the list of rulesets that apply to that proxy action. You can expand each ruleset to see and edit the rules for that proxy action.
WatchGuard provides a set of predefined rulesets that provide a good balance of security and accessibility for most installations. If a default ruleset does not meet all of your business needs, you can Add, Change, or Delete Rules.
To configure rulesets for a proxy action:
- Select Firewall > Proxy Actions.
The Proxy Actions page appears.
- Double-click a proxy action to edit it.
The Proxy Actions / Edit page appears.
- Add, Change, or Delete Rules.
Simple and Advanced Views in Policy Manager
You can see rules in proxy definitions in two ways: simple view and advanced view.
- Simple view — Select this view to configure wildcard pattern matching with simple regular expressions.
- Advanced view — Shows the action for each rule. Select this view to edit, clone (use an existing rule definition to start a new one), delete, or reset rules. You can also use the advanced view to configure exact match and Perl-compatible regular expressions.
After you have used the advanced view, you can only change to the simple view if all enabled rules have the same action, alarm, or log settings. For example, if you have five rules with four set to Allow and one set to Deny, you must continue to use the advanced view.
Configure Rulesets and Change the View in Policy Manager
To configure rulesets for a policy, from Policy Manager:
- Double-click a policy or add a new policy.
The Policy Properties dialog box appears with the Policy tab selected.
- Adjacent to the Proxy action drop-down list, click .
The Proxy Action Configuration dialog box appears.
- To change the view, click Change View.
- Add, Change, or Delete Rules.
Ruleset Precedence in Proxy Actions
When a proxy action includes rulesets that specify different actions for the same traffic, such as Allow, AV Scan, or Deny, the Firebox determines which action to take as follows:
- The Firebox compares traffic to rulesets when transaction data becomes available. For example, for HTTP proxy actions, the Firebox checks HTTP Request rulesets before HTTP Response rulesets because HTTP request data is available first.
- When traffic matches a ruleset and the specified action is Block, Drop, or Deny, the Firebox performs that action and does not check other rulesets in the proxy action. If the specified action is not Block, Drop, or Deny, the Firebox continues to check other rulesets.
- If no rulesets specify a Block, Drop, or Deny action, the Firebox performs the action with the highest precedence from rulesets that match the traffic. From highest to lowest, the action precedence is: Block, Drop, Deny, Strip, Quarantine, Lock, AV Scan, Allow.
For example, you could configure an SMTP proxy action with these rulesets:
- Filenames ruleset — Configured to Allow files named benefits.docx
- Content Types ruleset — Configured to AV Scan files with a content type of application/msword
With these rulesets, when an email with an attached Word document named benefits.docx enters your network, the SMTP proxy scans the attachment for viruses. This is because the AV Scan action in the Content Types ruleset takes precedence over the Allow action in the Filenames ruleset.