Tim Mullen came up with a good question the other day regarding directionality notations in his ISA Firewall's log files. What appeared to be an inbound connection was logged as an outbound connection.
To clarify the situation, Jim Harrison came up with the following explanation, which indeed explains the situation very nicely:
The traffic “direction” is determined by the rule.
What rule is quoted for the deny action?
If it’s the default rule, then that’s correct, because Access rules only deal in “outbound” traffic.
Since the “default deny rule” is an access rule, it deals only with “all outbound protocols”.
Here’s another conundrum to wrap up in your dilemma…
Primary Connection: TCP:666 Inbound
Primary Connection: TCP:666 Outbound
To: Local Host
If the SPR is listed first, it will “fire” and the traffic will be listed as “inbound”
If the access rule is listed first, it will fire and the traffic will be listed as “outbound”.