Rule resolution processing is halted (with no rule found) when it encounters blocked rules. The rule form colors change from greens to grays for blocked rules.
A rule instance is blocked-by-another if its Availability value is set to Yes
but a higher-numbered version of this rule (same name or key, same ruleset) has the Availability set to Blocked
.
Available rules with that name or key and a different ruleset may be blocked-by-another as well, if their ruleset version is appears beneath the ruleset version of the Blocked
rule on the user's ruleset list.
When rule resolution selects a rule that is blocked, that rule and all others (same name or key, any ruleset) are not executable.
To make a rule available "above" a blocked rule (that belongs to a secure ruleset version), choose a higher version number or a ruleset that appears higher on your (and other users') ruleset list.
If a rule has Availability set to Blocked
but also has a non-blank Circumstance Property, the blocking affect applies both to that rule and the base or underlying rule that has no Circumstance property. A rule resolution search that meets the Circumstance Property value stops (with no rule found). The Availability setting in the underlying rule is not relevant.
However, the converse does not hold. If the rule with a Circumstance Property has Availability set to Yes
, and the base rule has Availability set to Blocked
, a rule request matching the circumstance property and value is successful at finding and using the circumstance-qualified rule.
A blocked rule and a withdrawn rule are both invisible to rule resolution. Similarly, both blocked rules and withdrawn rules prevent lower-version rules with the same ruleset and visible key from being selected by rule resolution. However, a blocked rule may block other rules in any ruleset, and a blocked rule stops rule resolution from finding rules in higher Applies To classes. A withdrawn rule affects other rules only in one ruleset and one Applies To class.
When you create a ZIP archive containing a ruleset version, any blocked rules associated with that ruleset Version are included in the archive (and remain blocked when uploaded into on a destination system).
On a destination system, a blocked rule can in some cases block a different set of other rules than it blocked on the source system.
When skimming to a new minor or major ruleset Version, Blocked rules are always copied since their purpose is to block all similar rules regardless of ruleset name. Blocked rules can be used, for example, to block another rule which belongs to a ruleset name in an underlying Application layer that will be untouched by the skim process.
To report on all blocked rules in a ruleset, select those where the property pyRuleAvailable has the value Blocked. See PDN article How to list all the blocked rules in a ruleset.