Service Policy Matching Logic
When the Security Appliance applies a service policy to an interface, it must sort the
matching criteria. In a traditional policy map or access list, the Security Appliance would use
a first-match rule; as soon as a packet matched a criteria in the policy map or access list, the
action was handled and the service appliance went on to the next packet. Using an MPF, it
is possible to require a packet to match multiple criteria, each with separate actions that
should be applied to the packet. The first-match rule is used, as it only supports a single
action per packet. To allow for multiple matches and allow multiple actions to apply to a
packet, two policies dictate how the service policy handles matching criteria.