Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 1 Configuring a Service Policy
Managing the Order of Service Policy Rules
• If the packet matches a subsequent rule for a different feature type, however, then the ASA also
applies the actions for the subsequent rule.
For example, if a packet matches a rule for connection limits, and also matches a rule for application
inspection, then both rule actions are applied.
If a packet matches a rule for application inspection, but also matches another rule that includes
application inspection, then the second rule actions are not applied.
If your rule includes an ACL with multiple ACEs, then the order of ACEs also affects the packet flow.
The ASA tests the packet against each ACE in the order in which the entries are listed. After a match is
found, no more ACEs are checked. For example, if you create an ACE at the beginning of an ACL that
explicitly permits all traffic, no further statements are ever checked.
To change the order of rules or ACEs within a rule, perform the following steps:
Step 1 From the Configuration > Firewall > Service Policy Rules pane, choose the rule or ACE that you want
to move up or down.
Step 2 Click the Move Up or Move Down cursor (see Figure 1-1).
Figure 1-1 Moving an ACE
Note If you rearrange ACEs in an ACL that is used in multiple service policies, then the change is
inherited in all service policies.
Step 3 When you are done rearranging your rules or ACEs, click Apply.