About peering rules
Peering rules control Edge behavior when it sees probe queries.
Peering rules are an ordered list of fields an Edge uses to match with incoming SYN packet fields (for example, source or destination subnet, IP address, VLAN, or TCP port) as well as the IP address of the probing appliance. This feature is especially useful in complex networks.
The Peering Rules page displays a list of peering rules. The list contains the default peering rules and any peering rules you add.
The system evaluates the rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied. If the conditions set in the rule do not match, then the rule is not applied and the system moves on to the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted.
The Rule Type of a matching rule determines which action the Edge takes on the connection.
The default peering rules are adequate for typical network configurations, such as in-path configurations. However, you might need to add peering rules for complex network configurations. For details about deployment cases requiring peering rules, see the SteelHead Deployment Guide.
We recommend using in-path rules to optimize SSL connections on destination ports other than the default port 443.
• The default peering rule number 1 with the SSL incapable flag matches any SSL connection whose IP address and destination port appear in the list of bypassed clients and servers under Networking > SSL: SSL Main Settings. The bypassed list includes the IP addresses and port numbers of SSL servers that the Edge is bypassing because it could not match the common name of the server’s certificate with one in its certificate pool. The list also includes servers and clients whose IP address and port combination have experienced an SSL handshake failure. For example, a handshake failure occurs when the Edge cannot find the issuer of a server certificate on its list of trusted certificate authorities.
After a server or client appears in the bypassed servers list, follow-on connections to the same destination IP and port number always match rule number 1.
• The default peering rule number 2 with the SSL capable flag matches connections on port 443 that did not match default peering rule number 1. The Edge attempts to automatically discover certificate matches for servers answering on port 443. For all connections that match, the Edge performs both enhanced autodiscovery (finding the nearest and farthest appliance pair) and SSL optimization.