Shadow

Shadow rules are provided to monitor overlapping rules on a per-rule basis. The Shadow feature displays each rule and reveals all rules that are shadowed by that rule. It also provides a list of rules that are shadowed from the rule. Shadow rules generally indicate a broader rule that matches the criteria, but it is configured above a more specific rule. You can select and view all rules and shadow data for any rule.

For example, rule traffic never matches a second rule that specifically allows say, web-browsing, because all web-browsing applications would have already been allowed by the first rule.

To monitor Shadow rules

1. Navigate to POLICY | Rules and Policies > Shadow.

   The Shadow page appears. Click Generate on the right of the top toolbar for each tab to refresh the available policies.

   

   You should regenerate anytime you have changed or added any policies.

2. Search for specific rules using the Search feature.
3. You can sort the shadowing of previously created Rules and Policies rules by Policy Type. Options include Security Policy, NAT Policy, Route Policy, Decryption SSL Policy, Decryption SSH Policy, and DoS Policy.

4. You can further sort the Policy Type by first selecting the policy type, in this example, Security Policy, then using the All Rules drop-down menu, select the specific policy you would like to investigate.

   

5. Click the blue naming instance to view additional Security Rule Details.

   

6. To generate an updated list of Shadow policies, click Generate in the top right option bar.