Unexpected behavior on Security Access rules with 'Any' in the services column
On cases where a connection matches a rule with 'any' in the services column, the administrator has the option to define which service will be used to determine connection properties (i.e.: timeout, direction, aggressive aging, cluster sync, etc.).
This is done by setting the service as 'match for any':
This flag means that in case connection matches a rule with any service and services match criteria (usually IP protocol, port) matches the connection, this services attributes will be applied on the connection.
What will happen in a case were 2 or more services has the same (or overlapping) match criteria?
The first one which is loaded during policy installation will be used.
For example, if there is another service with the same match criteria as above and with different Virtual session timeout set as 'match for any', the user will not know (unless he will check the Gateway logs what service is matched on the connection) which service attributes were really taken.
How is the order determined?
As mentioned above, the selected service will be the first one loaded during policy installation, this is affected by the order in which the Management server sends the services to the Security Gateway.
In R77.30 and below, the services were stored in a textual data base, and sent as is to the Security Gateway, the order was by last update, in fact the service with the oldest update time will be chosen. This is not guaranteed, as the order might change as the access to the database is not limited in the Management server.
In R80 and above, the services are stored in a PostreSQL database, and the order in which they are sent to the Security Gateway is random.