About peering rules
Peering rules are especially useful in complex networks where you might need to configure peering connections based on many different factors. The default peering rules are adequate for typical network configurations, such as in-path configurations. However, you might need to add peering rules for complex network configurations.
We recommend using in-path rules to optimize SSL connections on destination ports other than 443.
Peering rules control appliance behavior when it sees probe queries from other appliances. The appliance attempts to match rules with incoming SYN packet fields, such as subnet, IP address, port, peer relationship, and so on. As packets arrive, the appliance evaluates the rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied. If the conditions set in the rule don’t match, then the rule isn’t applied and the system moves on to the next rule. For example, if the conditions of rule 1 don’t match, rule 2 is evaluated. If rule 2 matches the conditions, it is applied, and no further rules are consulted. The rule type of a matching rule determines which action the appliance takes on the connection.
Default peering rule number 1 with the SSL incapable flag matches any SSL connection whose IP address and destination port appear in the list of bypassed clients and servers under the appliance’s main SSL settings. The bypass list includes the IP addresses and port numbers of SSL servers that the appliance is bypassing because it couldn’t match the common name of the server’s certificate with one in its certificate pool. The list also includes servers and clients whose IP address and port combination have experienced an SSL handshake failure (a handshake failure can occur when the appliance can’t find the issuer of a server certificate on its list of trusted certificate authorities). After a server or client appears in the bypass list, follow-on connections to the same destination IP and port number always match rule number 1.
Default peering rule number 2 with the SSL capable flag matches connections on port 443 that did not match default peering rule number 1. The appliance attempts to discover certificate matches for servers answering on port 443. For all connections that match, the SteelHead performs both enhanced autodiscovery and SSL acceleration.