A role can have no rules if the default action is sufficient. Rules are used only to provide different treatments for different packet types to which a single role is applied.
A network rule defines one or more actions to take on a packet matching criteria specified by the rule (such as IP address or port number). The actions can be to deny the traffic, to allow the traffic, to contain the traffic to a specific VLAN. If the traffic is allowed, it can also be assigned a Class of Service (CoS) that can affect the priority and latency of that traffic. Only the rules in the policy assigned to a client are applied to a client's traffic.
Note
Application policies and application rules apply to application access and use different matching criteria.