14.2 Filter Logic

You can use one or more filters to determine whether the policy should be applied to a device. A device must match the entire filter list (as determined by the logical operators that are explained below) for the policy to be applied to the device.

There is no technical limit to the number of filters you can use, but there are practical limits, such as designing a filter structure that is easy to understand and organizing the filters so that you do not create conflicting filters.

14.2.1 Filters, Filter Sets, and Logical Operators

You can add filters individually or in sets. Logical operators, either AND or OR, are used to combine each filter and filter set. By default, filters are combined using OR (as determined by the Combine Filters Using field) and filter sets are combined using AND. You can change the default and use AND to combine filters, in which case filter sets are automatically combined using OR. In other words, the logical operator that is to combine individual filters (within in a set) must be the opposite of the operator that is used between filter sets.

You can easily view how these logical operators work. Click both the Add Filter and Add Filter Set options a few times each to create a few filter sets, then switch between AND and OR in the Combine Filters Using field and observe how the operators change.

As you construct filters and filter sets, you can think in terms of algebraic notation parentheticals, where filters are contained within parentheses, and sets are separated into a series of parenthetical groups. Logical operators (AND and OR) separate the filters within the parentheses, and the operators are used to separate the parentheticals.

For example, “(u AND v AND w) OR (x AND y AND z)” means “match either uvw or xyz.” In the filter list, this looks like:

u AND
v AND
w
OR
x AND
y AND
z

14.2.2 Nested Filters and Filter Sets

Filters and filter sets cannot be nested. You can only enter them in series, and the first filter or filter set to match the device is used. Therefore, the order in which they are listed does not matter. You are simply looking for a match to cause the policy to be applied to the device.