Overlapping Entitlements

Actions in Entitlements may be overlapping in terms of subnet, protocol, ports and types, so that a packet matches more than one action. The actions may be in the same Entitlement, or in different Entitlements. The overlap may be a mistake, or it may be deliberate, such as adding exceptions to a range by mixing <ALLOW> and <BLOCK> actions.

In any case, if a packet matches more than one Action, only the Action with the highest precedence is used. The other Actions are not logged, do not trigger user interactions, do not raise alerts, and do not influence whether the packet is allowed or blocked.

NOTE

When using <EXCLUDE> Action type, this will be applied to the local routes in the Client (so has no effect on any overlapping Entitlement rules in the Gateway).

Resolving overlapping entitlements

Overlapping entitlement actions

The rules of Action precedence are as follows:

1. HTTP Actions have precedence over TCP Actions
   For instance <ALLOW> HTTP up 172.23.23.100 (has implied ports of 80 and 443) has precedence over <ALLOW> TCP up 172.23.23.100 port 80 and <ALLOW> TCP up 172.23.23.100 port 443.

2. The Action with a smaller subnet has higher precedence.
   For instance, <BLOCK> 172.23.23.0/24 port 80 has precedence over <ALLOW> 172.23.0.0/16 port 80, so that a packet to 172.23.23.1:80 is blocked, despite it matching both Actions. This is because a /24 subnet is smaller than a /16 subnet.

3. If the subnets are equal, the Action with a smaller port (or type) range has higher precedence.
   For instance, <BLOCK> 172.23.0.0/16 port 80 has precedence over <ALLOW> 172.23.0.0/16 port 1-65535, so that a packet to 172.23.0.1:80 is blocked, despite it matching both Actions. This is because the range "80" is smaller than the range "1-65535".

4. (Rare case) If the subnets are equal, and the port (or type) ranges are equally small, the Action with a higher starting port (or type) has higher precedence.
   For instance, <BLOCK> 172.23.0.0/16 port 11-100 has precedence over <ALLOW> 172.23.0.0/16 port 1-90, so that a packet to 172.23.0.1:80 is blocked, despite it matching both Actions. This is because the range "11-100" starts higher than "1-90".

5. If the subnets and port (or type) ranges are equal, an allowing Action wins over a blocking Action, where "allowing" means an Action marked <ALLOW> in an Entitlement that is currently available, and blocking means either an Action marked <BLOCK> or <ALERT>, or an Action marked <ALLOW> in an Entitlement for which the Conditions are currently not fulfilled.
   For instance, <ALLOW> 172.23.0.0/16 port 80 has precedence over <BLOCK> 172.23.0.0/16 port 80. Additionally, if two Entitlements have the same <ALLOW> 172.23.0.0/16 port 80 Action, where one Entitlement is already available, but the other would require a user interActions, then the already available Entitlement will be used and a user interAction will not be requested.

6. If two Actions in an Entitlement are identical, meaning that subnets, port (or type) ranges and allowing/blocking are equal, the precedence is unpredictable, meaning that either Action may be used in the Entitlement. This definition of identical  includes the case where a specific <BLOCK> Action and an <ALLOW> Action with a condition that has not been met are present.
   While this precedence has no practical implications for the outcome of the Entitlement, the unpredictability has implications for Audit Logs.  The Audit Log will only note the applied Action.  For example, suppose an Entitlement `foo` has <ALLOW> tcp-up to intranet port 80, and `bar` has the same Action, <ALLOW> tcp-up to intranet port 80.  The user connects to 'intranet:80' and the access will be allowed.  However the log will note  either `foo` or `bar` but not both.

Use cases for overlapping Entitlements

The rules of precedence above may be used deliberately for handling special cases.

For instance, suppose you want to open up full access to the subnet 192.168.0.0/24, but not to the servers in 192.168.0.16/28 which are off limits, except 192.168.0.20 which everyone needs, and 192.168.0.21 is so much off limits that you want to raise an alert if someone tries to access it. This is all possible, in a single entitlement, by using subnet precedence and mixed rules:

<ALLOW> 192.168.0.0/24 port 1-65535

<BLOCK> 192.168.0.16/28 port 1-65535

<ALLOW> 192.168.0.20 port 1-65535

<ALERT> 192.168.0.21 port 1-65535

You can also require two-factor authentication for accessing a server in a blocked range, such as 192.168.0.17 in the example above, by putting the rule <ALLOW> 192.168.0.17 port 1-65535 in a different Entitlement, which requires two-factor authentication. This will have precedence over the Action <BLOCK> 192.168.0.16/28 port 1-65535 in the first Entitlement, and will trigger a user interaction if defined.

Similarly, you may allow 192.168.0.0/24 under password authentication, except 192.168.0.16/28 which is only allowed under two-factor authentication, by putting <ALLOW> 192.168.0.0/24 port 1-65535 into Entitlement A which requires password, and <ALLOW> 192.168.0.16/28 port 1-65535 into Entitlement B which requires two-factor authentication. However, care should be taken when configuring this, since forgetting to add B to every Policy that A is part of, would bypass the requirements of B.