Firewall Filter Policy of Vigor 3900

There are three different types of Filter Actions on Vigor3900 Firewall. This note will explain the difference between them.

The firewall of Vigor 3900 upon receiving a packet, checks to see if the packet matches any Filter Rules in IP Filter in the order of IP Filter group. Which Filter Groups/Rules are checked first depends upon the order of the Filter Groups/Rules created.

If this packet doesn't match any Filter Rule in IP Filter, it will move on to check Application Filter, URL/Web Category Filter and then QQ Filter. If there is still no matched Filter Rule, the Default Policy will be applied.

If the packet matches a Filter Rule in IP Filter, the action of that Filter Rule will be applied. And there are three possible actions:

  1. * Accept/Block Immediately.

  2. * Accept/Block if No Further Match with Next Group specified.

  3. * Accept/Block if No Further Match with Next Group left blank.

A. Accept/Block Immediately

  1. Once the packet matches a Filter Rule of which the action is Accept/Block Immediately, it will be accepted or blocked by the router immediately. And all the rest of the Filter Rules will be ignored.

B. Accept/Block if No Further Match with Next Group specified

  1. If the packet matches a Filter Rule of which the action is “Accept/Block if No Further Match” and there is a specific group selected as Next Group, the router will check the Filter Rules in that specific group in order to see if there is any rule matched.

  2. Once the router find a matched Filter Rule in that group, the action of that newly matched Filter Rule will be applied, and the rest of the Filter Rules in the Group will be ignored.

  3. If the packet doesn't match any Filter Rule in the Next Group, then the router will move on to check Application Filter, URL/WCF Filter, and then QQ Filter to check if there is any Filter Rule matched.

  4. Once the router finds a matched Filter Rule in the other filters, the action of that newly matched Filter Rule will be applied.

  5. If the packet doesn't match any Filter Rule in other filters, then it will be accepted or blocked according to the action of the original matched Filter Rule.

C. Accept/Block if No Further Match with Next Group left blank

  1. If the packet matches a Filter Rule of which the action is Accept/Block if No Further Match but the Next Group is left blank, router will move on to Application Filter, URL/Web Category Filter and then QQ Filter to check if there is any Filter Rule matched.

  2. Once the router find a matched Filter Rule in the other filters, the action of that newly matched Filter Rule will be applied.

  3. If the packet doesn't match any Filter Rule in other filters, then it will be accepted or blocked according to the action of the original matched Filter Rule. 

Published: 
Wednesday, October 8, 2014