2.3 Ordered Layers and First-Match Evaluation
Key Takeaways
- Ordered layers are evaluated top-down in the sequence they appear in the policy
- Within an ordered layer, the first matching rule wins; subsequent rules are not evaluated for that connection
- The order of ordered layers matters — Network layer is typically first, Application layer second
- A rule's action determines whether evaluation stops (Drop, Reject) or continues to the next layer (Accept with certain settings)
- Reordering an ordered layer changes the priority of every rule inside it
What Ordered Layers Are
An ordered layer is a self-contained, top-down rulebase that is evaluated in a specific sequence within the Access Control policy. R82 allows multiple ordered layers per Access Control policy — typically a Network layer and an Application layer — and each layer is evaluated in the order it appears in the policy. Within a single ordered layer, rules are evaluated top-down and the first match wins: once a rule matches a connection, its action is applied and no further rules in that layer are evaluated for that connection.
This first-match behavior is the single most important rule-evaluation concept on the CCSA R82 exam. If a broad Accept rule sits above a specific Drop rule, the broad rule wins and the specific rule never fires. Order is everything.
The Order of Ordered Layers
Just as rules inside a layer are evaluated top-down, the ordered layers themselves are evaluated in a sequence. A typical policy has the Network layer first (broad IP/service rules) and the Application layer second (application-aware rules). A connection that the Network layer drops never reaches the Application layer. A connection the Network layer accepts may continue to the Application layer for finer-grained application control.
The default order in a fresh R82 Access Control policy is:
- Network ordered layer — IP/service-based rules.
- Application ordered layer — application- and URL-based rules.
- Threat Prevention layers (IPS, App Control content, URL Filtering, Anti-Bot, AV, Threat Emulation) — applied to traffic Access Control accepted.
You can reorder ordered layers in SmartConsole by dragging them, but the Network-before-Application order is conventional and rarely changed.
First-Match Rule Walkthrough
Consider this simplified Network ordered layer:
| # | Source | Destination | Service | Action |
|---|---|---|---|---|
| 1 | Net-Internal | Net-DMZ | http | Accept |
| 2 | Net-Internal | Any | Any | Drop |
| 3 | Any | Net-DMZ | https | Accept |
| 4 | Any | Any | Any | Drop (cleanup) |
A connection from an internal host to the DMZ on HTTP matches rule 1 and is accepted; rules 2–4 are not evaluated. A connection from an internal host to the Internet on port 22 does not match rule 1 (wrong destination), matches rule 2 (source is internal, destination is Any, service is Any), and is dropped. A connection from the Internet to the DMZ on HTTPS skips rules 1 and 2 (wrong source), matches rule 3, and is accepted. Anything else falls through to rule 4, the cleanup rule, and is dropped.
If you reversed rules 1 and 2, all internal traffic would hit rule 2 first and be dropped, including internal-to-DMZ HTTP — a classic ordering mistake.
Action Behavior Across Layers
When a rule in an ordered layer accepts a connection, evaluation typically continues to the next ordered layer (Application) and then to Threat Prevention. When a rule drops or rejects a connection, evaluation stops and the connection is terminated. Some actions and settings modify this:
- Accept — usually continues to the next layer unless the rule is in the last ordered layer.
- Drop — stops evaluation; the connection is silently discarded.
- Reject — stops evaluation; the connection is dropped with a response sent to the source (TCP RST or ICMP unreachable).
- Inline layer — instead of a terminal action, evaluation drops into the inline layer's rules; the inline layer's action becomes the parent rule's effective action.
- Account — accepts the connection and logs session info without enforcing further access restrictions for that rule.
The exact behavior depends on the layer's settings, but the general rule is: Drop and Reject stop evaluation; Accept typically continues to the next ordered layer.
Why Order Matters at Two Levels
CCSA questions often test order at two levels in the same question:
- Order of rules within a layer — first match wins, so a broad rule above a specific rule shadows it.
- Order of ordered layers — a Network layer above an Application layer means the Network layer's drop decisions short-circuit Application layer checks.
When analyzing a scenario, scan the ordered layers top-down. In each layer, scan the rules top-down. The first match across the whole chain wins for the Access Control phase. If the connection is accepted by Access Control, Threat Prevention then runs its own first-match logic for each enabled blade.
Ordered Layer Properties
Each ordered layer has properties that affect evaluation:
- Name — descriptive label, also used in logs to identify which layer matched.
- Default action — applied when no rule in the layer matches.
- Installation targets — gateways that receive this layer.
- Shared — whether the layer can be referenced from other packages.
- Position — the layer's position in the ordered layer sequence; drag to reorder.
- Apply to all gateways / specific gateways — controls scope.
Common Ordering Mistakes to Recognize on the Exam
- Broad Accept above specific Drop — shadows the Drop; the broad rule wins. Fix: move specific rules above broad rules.
- Stealth rule placed too low — a stealth rule (drop direct gateway access) must sit near the top to protect the gateway before broad accept rules allow other traffic.
- Cleanup rule placed anywhere but last — the cleanup rule must be the last rule in the layer; any rule below it never fires.
- Inline layer called by a rule above the rule that should match — the inline layer runs only when its parent rule matches, so positioning the parent rule above other rules that should also match changes evaluation.
Why This Matters for the Exam
Ordered layer first-match evaluation is the foundation of nearly every Access Control scenario question. Walk every scenario top-down: ordered layer first, then rules within that layer, first match wins, then move to the next ordered layer. This discipline catches the shadowing tricks the exam uses.
In an ordered Access Control layer, what happens when rule 5 matches a connection but rules 1–4 also could match if evaluated?
A Network ordered layer is placed above an Application ordered layer. A connection matches a Drop rule in the Network layer. What happens next?
Which ordered layer is conventionally placed first in a fresh R82 Access Control policy?