Some requirements of the firewall cannot be achieved by a single rule alone. If the firewall is used to limit the Internet traffic of different departments (each in their own IP subnet), no individual rule is able to simultaneously reproduce the common upper limit. For example, if each of the three departments has a maximum bandwidth of 512 kbps, but the total data rate of the three departments together cannot exceed a limit of 1024 kbps, then a multi-level check of the data packets must be established:
- The first stage checks that the current data rate of each individual department does not exceed the limit of 512 kbps.
- The second stage checks that the data rate of all the departments together does not exceed the limit of 1024 kbps.
Normally the list of firewall rules is applied sequentially to a received data packet. If one of the rules applies, the corresponding action is executed. This completes the firewall check; no further rules are applied to the packet.
To achieve two-stage or multi-level checks on data packets, the “Observe further rules” option is activated for the rules. If a firewall rule with the “Observer further rules” option enabled applies to a data packet, the corresponding action is executed first and then the firewall inspection is continued. If one of the other rules also applies to this packet, the action that corresponds to this rule is also executed. If the “Observer further rules” option is also enabled for this subsequent rule, the inspection continues until
- either a rule with the “Observer further rules” option not enabled applies to the packet
- or the list of firewall rules is processed completely and no further rules apply to the packet.
To implement the aforementioned scenario, a firewall rule is set up for each subnet to drop additional packets of the FTP and HTTP protocols from a data rate of 512 kbps and upwards. For these rules, the “Observer further rules” option is enabled. An additional rule is set up for all stations in the LAN to drop all packets exceeding 1024 kbps.
