Structured Editor

The expression editor displays the expression in terms of clauses. A clause is a set of fields with values specified. All the fields and values within a clause will be combined by the and operator in the final expression. For example, a clause with "Source Address" set to 192.168.1.1 and "Action" set to permit will match only packets with a source address of 192.168.1.1 that the configuration will permit. If a field value is not set, it is ignored and does not contribute to the expression.

Icons on the top editor tool bar perform a number of basic operations.

creates a new clause after the current focus point.
deletes the currently selected clause.
The next four green arrow icons control clauses and are described in the Composing Clauses section below.
saves your edits.
saves your edits and closes the expression editor.
throws away your edits and closes the expression editor.

Editing Clauses

To set values in a clause, click on a field name. This will activate the associated value entry field to the right of the field name. Start typing in the value entry area. The Guided Editor will give you hints for proper values in hint popup windows. You can continue typing or select a hint from the popup window. See Guided Editor for more details on the editing mechanism. After completing a value, hit return. For most fields, you can enter multiple values. These values will be interpreted as alternates. For example, if you enter 192.168.1.0/24 and 10.10.10.128 for the Destination Address field, the expression evaluation will interpret this as the Destination Address matches the network 192.168.1.0/24 or the host 10.10.10.128.

To edit an existing value, double-click the value and start editting. To delete a value, select the value, and hit delete key.

Each field and value pair is separated by an equal sign . You can click on the equal sign to toggle it to . This effects how the field value pair is interpreted during the expression evaluation. In our example of the Destination Address field with values 192.168.1.0/24 and 10.10.10.128, if there is an equal sign, the expression will be interpreted as the Destination Address matches the network 192.168.1.0/24 or the host 10.10.10.128. If a not equal sign is shown, the expression will be evaluated as the Destination Address is not in the network 192.168.1.0/24 and it does not equal the host 10.10.10.128.

Each clause has a tool bar with three buttons.

The first toggles between and to indicate whether the clause is enabled or disabled. If the button is , the clause (and all of its children) are enabled. If it is , the clause is disabled. When a clause is disabled, the clause and its children do not contribute to the expression when a policy validation is performed. It could be that a particular clause it not currently relevant, but the you want to reactivate it later.
The second button in the tool bar indicates whether the expression should be evaluated as a match or a not match. If the button shows , evaluating the expression will match packets that match the values in the clause. If the button shows , the evaluated the expression will match packets that do not match the values in the clause. For example, if the clause has 192.168.1.1 set for source address and TCP:80 set for destination service, the evaluating the expression will look for packets that have a source address of 192.168.1.1 and a destination service of TCP:80 if the button is . Otherwise, the expression evaluation will look for packets that do not have a source address of 192.168.1.1 or do not have a destination service of TCP:80.
The last button controls whether unset fields are displayed. If the button is , all possible fields are displayed even if they have no values currently set. If the button is the clause is displayed in a more concise form with only the set fields displayed. The expanded form is useful when entering values for unset fields, and the concise form for conciseness when editing other clauses.

Composing Clauses

An expression is composed of multiple clauses. The expression editor shows how clauses are combined through indentation and operators. If two clauses are at the same indentation level, they are connected by a line with the green plus circle the or operator. When evaluated, the first clause will be evaluated to find matching packets and actions. Then the second clause will be evaluated to find matching packets and actions. The resulting expression is the union of the packets and actions described in each clause.

If one clause is a child of another clause (that is the second clause is indented underneath the first clause), the results of the clauses are combined with the and operator. Effectively the outer clause is checked and if it matches, the inner clauses are checked. If the outer clause doesn't match, the inner clauses are not checked at all.

Clauses at the same level ("sibling clauses") are combined with the or operator, which means that they are all checked until one matches if all parent clauses match. If there are clauses nested under the siblings, those are checked only if their parent (one of the siblings) matches.

The expression as a whole matches if any clause without nested clauses matches. A parent clause (one with nested clauses) matches if any of its nested clauses match.

Controlling Clause Nesting

In the expression editor tool bar, there is a set of four arrow buttons.

moves the selected clause up the list.
moves the selected clause down the list.
moves the selected clause to be a sibling of its parent clause
moves the selected clause to be a child of its sibling.

In addition to combining clauses through and and or operators, there is also an otherwise operator. The otherwise operator can be used on the last clause in a list of clauses at the same identiation level; that is a set of clauses combined by the or operator. The clause after the otherwise operator expresses the action or scope that must apply to the packet that does not match any of the previous clauses. For example, consider one clause that specified the Source Address was 10.10.0.0/16 and the Action was permit, and after the otherwise operator another clause that specified the action of deny. This would mean that only packets with the source address in the 10.10.0.0/16 network should be permitted and all other packets should be denied. The otherwise operator provides a concise means of expressing the expected action in all "other" cases.

The last clause in a list can be converted between an or clause and an otherwise clause by toggling the icon next to the close. If it is blue plus circle or green plus circle the final clause is another or clause. If it is blue x circle or green x circle the final clause is an otherwise clause. If the operator is red

it means that the clause has an otherwise operator and was moved to a location where such an operator is not permitted. In this case it will be treated as an or. If the clause is moved to a location where otherwise is valid the operator will change back to green. You can change the operator to or but you can't change it back unless the operator is moved to a location where otherwise is valid. This is done so that the otherwise operator is not changed while a clause is being moved.

If it's still not clear what operator a clause has, hover the mouse cursor over the operator and it will provide a tool tip.