Part of the admission process to create a connection from one Client to another on the SD-WAN Client fabric network is rules.

Before the tunnel even comes up, a network with a rule assigned will only allow that traffic that matches the defined service to be sent to its destination. If the traffic type does not match the service, no tunnel is built, effectively blocking the unwanted traffic. In an ICS network, it is critical to follow the design mantra of "deny by default, permit by exception."

1. As the name implies, this rule designates that only FTP traffic can be serviced on a network it is associated with. This is used for the Analytics Data Export network. FTP is available as a pre-defined service.
2. And again, the name implies that this rule only permits VNC traffic on the Operator Remote Access network. VNC traffic is defined as a custom service with a TCP port range of 5900-5909. Please keep in mind that VNC can use different ranges, so ensure you use what is appropriate for your environment.