Important! The order in which filters are listed in the nbapolicy.xml configuration file is irrelevant!
Filter precedence and optimization in the NBA means that only one network filter and one application filter are applied to any data stream.
When the NBA examines a packet, any network filters are always applied first, followed by any application filters. But if multiple network filters are defined, or multiple application filters, with potentially conflicting criteria, how does the NBA determine filter precedence?
Filter precedence is based on IP address. Specifically, the filter with the narrowest IP address range takes precedence over all other filters. That is, this filter’s action (Analyze, Prohibit, or Ignore) gets applied to data packets arriving from a specified IP address, even if these data packets also meet the criteria of other filters, each of which may specify a different action.
Filter precedence is applied successively, so after the ‘narrowest range’ filter has been implemented, precedence passes to the filter with the next narrowest address range, and so on. This is best illustrated with an example.
|
Copyright © 2014 CA.
All rights reserved.
|
|