Rule types and their properties

The Rule Types pane of the Policy Editor page allows you to access all rules by type.

You can import, export, add, edit, and perform various operations on a rule once it is selected. The functions that you can perform are limited by the type of rule.

All rules are based on a hierarchy system in which each rule inherits its usage from its parent. The rule (except for Variable and Preprocessor rules) is marked with an icon to indicate where it inherits its usage. The icon has a dot on the lower-left corner if the inheritance chain broke somewhere below the current row.

Icon Description

The parent's setting determined the usage for this item. Most rules are set to inherit by default, but the usage can be changed.

Indicates that the inheritance chain is broken at this level and the inheritance value is turned off.

Note: The current rule usage is used when the inheritance chain is broken.

Indicates that the inheritance chain is broken at this level. Items below this point do not inherit any further up the chain. This setting is useful to force rules to use their default.

Indicates a custom value; you set the value to something other than the default.


When a rule type is selected, the rule display pane shows all rules of that type on the system and their property settings. These properties can include Action, Severity, Blacklist, Aggregation, and Copy Packet.

This property... Allows you to...

Set the action performed by this rule. The available options are based on the type of rule.

Note: Blacklist items can't move on to their destination; if Pass is selected in the Blacklist column, the system automatically changes it to Alert.

Select the severity of the rule part when the rule is triggered. Severity is based on 1–100, with 100 being the most severe.


Auto-create a blacklist entry on a per rule basis when the rule is triggered on the device. You can choose whether to blacklist only the IP address or the IP address and port.


Set per rule aggregation for events that are created when a rule is triggered. The aggregation settings defined on the Event Aggregation pages (see Aggregate events or flows) apply only to those rules that are set in the Policy Editor.

Copy Packet

Copy packet data to the ESM, which is useful in the event of lost communication. If there is a copy of the packet data, you can access the information by retrieving the copy.

Change these settings by clicking the current setting and selecting another.