6Firewall107Service groupsA service group is an SEG object that consists of a collection of services. Groups are usefulwhen you want to construct security policies that contain multiple services.Advantage of groupsFor example, there may be a need for a set of IP rules that are identical to each other exceptfor the service property. By defining a service group that contains all the service objects fromall the individual rules, you can replace all of them with just one IP rule that uses the group.For example, a service group called email‐services combines the three services objects forSMTP, POP3, and IMAP. Now only one IP rule needs to be defined that uses this group serviceto allow all e‐mail related traffic to flow.Groups can contain other groupsA group can contain individual services as well as other service groups. This ability to havegroups within groups should be used with caution since it can increase the complexity of aconfiguration and decrease the ability to troubleshoot problems. However, the feature allowsthe easy construction of large and complex sets of service definitions.Access rulesOne of the principal functions of the SEG is to allow only authorized connections access toprotected data resources. Access control is primarily addressed by the SEG IP rule set in whicha range of protected LAN addresses are treated as trusted hosts, and traffic flow fromuntrusted sources is restricted from entering trusted areas.Before a new connection is checked against the IP rule set, the SEG checks the connectionsource against a set of access rules. Access rules can be used to specify what traffic source isexpected on a given interface and also to automatically drop traffic originating from specificsources. Access rules provide an efficient and targeted initial filter of new connectionattempts.Default access ruleEven if you do not explicitly specify any custom access rules, an access rule known as theDefault Access Rule is always in place.This default rule is not a true rule but operates by checking the validity of incoming traffic byperforming a reverse lookup in the SEG routing tables. This lookup validates that the incomingtraffic is coming from a source that the routing tables indicate is accessible via the interfaceon which the traffic arrived. If this reverse lookup fails, the connection is dropped and aDefault Access Rule log message will be generated.When troubleshooting dropped connections, you should look for Default Access Rulemessages in the logs. The solution to the problem is to create a route for the interface wherethe connection arrives so that the route's destination network is the same as or contains theincoming connection's source IP.