Skip to main content

Rule Lists

A rule list identifies IP traffic at layer 3-4, and applies actions to that traffic. Initially, the rule list will be used in security filters.

A rule list will consist of a series of Rules,

A rule contains:

  • Match group: Contains one match. In future versions of the product, multiple matches within a match group will be supported.
  • Match: a layer 3-4 traffic definition
  • Action group: Contains one action. In future versions of the product, multiple actions within an action group will be supported.
  • Action The action that will be applied to matched traffic

Rules will be ordered in the list according to their priority value, such that lowest priority value goes to the top of the list.

Below is the example of a Security Filter Rule List with 3 rules ordered according to thier priority values:

Fig 1: A Rule List

Once configured, a rule list will be globally available for use at any of your Alef Edge Points.

Match parameters

A match can consist of up to 5 parameters consisting of:

  • Protocol (TCP, UDP, ICMP, IP)
  • Source IP address/subnet
  • Destination IP address/subnet
  • Source port number
  • Destination port number

You can create a match using any or all of these parameters. You may also add a comment to each match for your reference.

Security filter rule lists.

The first type of rule list that will be available on the Alef Edge Platform will be the security filter rule list.

The security filter rule list will have the following characteristics:

  • It may have a name configured by you, and will always have an ID generated by the system.
  • It will be applied in one direction, default being ingress (from the mobile device, ingressing into your network)
  • Each rule will only have one action, either DROP or ACCEPT. Future versions will introduce ‘REJECT’ which will drop the packet and send an ICMP message to the sender.
  • Rules and matches will be processed from the top down. Once a match is made, the action will be applied to the matching packet and processing will stop.
  • The Security Filter rule list will always have an implicit drop IP at the end.

Security filter rule lists for NAC

The first application of the security filter rule list we will support is for NAC. A preconfigured named rule list will be invoked with a filter-id RADIUS attribute in the RADIUS ACCESS-ACCEPT message.

The rule list for NAC will:

  • Be stateless
  • Be applied to the NAC Session of a mobile device
  • Only be applied to traffic ingressing your network from a mobile device
  • Consist of L3-4 filtering