Clarifying ISA Firewall "Directionality" for Access and Publishing Rules

Tim Mullen came up with a good question the other day regarding directionality notations in his ISA Firewall’s log files. What appeared to be an inbound connection was logged as an outbound connection.

To clarify the situation, Jim Harrison came up with the following explanation, which indeed explains the situation very nicely:


The traffic “direction” is determined by the rule.

What rule is quoted for the deny action?

If it’s the default rule, then that’s correct, because Access rules only deal in “outbound” traffic.

Since the “default deny rule” is an access rule, it deals only with “all outbound protocols”.

Here’s another conundrum to wrap up in your dilemma…


Primary Connection: TCP:666 Inbound

From: External

Access Rule

Primary Connection: TCP:666 Outbound

From External

To: Local Host

If the SPR is listed first, it will “fire” and the traffic will be listed as “inbound”

If the access rule is listed first, it will fire and the traffic will be listed as “outbound”.


Thanks Jim!



Thomas W Shinder, M.D.


Email: [email protected]

MVP — Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top