Certain fields in the rules are only available if the target firewall platform supports them. For example, the iptables firewall provides controls for logging of matched packets, while Cisco PIX does not; PIX always logs every packet it drops. Where possible, the policy compiler tries to emulate the missing feature. For example, OpenBSD PF does not support negation natively, but the policy compiler provides a workaround and tries to emulate this feature for PF. Another example is policy rules with "Outbound" direction. Cisco PIX supports only inbound access lists, so the policy compiler emulates outbound Access Lists while generating configuration for PIX. Table 7.1 represents a list of fields in the rules and which firewall platforms support them. Information about these fields and features is available for Firewall Builder GUI that disables corresponding menu items and hides associated policy elements when they are not supported.
Table 7.1. Rule Features Available on Different Platforms
|Firewall Platform||Source||Destination||Service||Time Interval||Direction||Action||Logging/ Options||Comment||Negation in Policy rules||Negation in NAT rules|
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.