Shadowed Rules

Overview

Shadowed rules are rules that will not get invoked when the connection matches the condition they define, due to other rules that have higher priority (the shadowing rules). The shadowing rules take precedence over the shadowed rule and prevent it from being invoked. Shadowing rules can be a single rule or combination of rules.

There are two types of shadowed rules:

  • Fully Shadowed rule: A rule that has higher priority rules above it whose conditions fully intersect with it, thereby never allowing it to be invoked. Fully shadowed rules are redundant and can be removed safely without affecting access.
  • Partially Shadowed rule: A rule that has higher priority rules above it whose conditions partially intersect with it, thereby preventing it from being invoked when those conditions apply. These rules will get hit when the non-intersection conditions apply and so removing them will affect access.

Identify Fully Shadowed Rules

In the Rule Viewer, TOS Aurora identifies shadowed rules with a value of Yes in the Shadowed field.

Rules are marked as Shadowed only when they are fully shadowed.

To filter the view and see only fully shadowed rules, use the TQL query fullyShadowed = true.

For more information, see TQL Fields for Rule Viewer.

You can use the Cleanup Browser to remove these redundant rules.

What Can I See Here?

This panel shows all the rules that are fully or partially shadowing the selected rule.

You can toggle the Shadowed Rule panel (blue panel at the bottom) to compare the shadowing rules to the shadowed rule.

How Do I Get Here?

From the menu, select Browser > Rule Viewer > Select a rule > Select Shadowing Rules