Security Policy Granular to Address Group?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Security Policy Granular to Address Group?

L2 Linker

I have a group of computers that I want to apply a different security policy with a different Security Profile to.

 

I have created 2 Security policies.

The first policy = Internet Out allow any -  Trusted Zone to Untrusted Zone with the default 'basic file blocking' Security profile.

The second policy = Internet Out allow any  - Trusted Zone with Source Address = Test_Group (specific group of computers) and a 'special file blocking' Security profile.

 

The policies don't seem to granulary apply. Meaning, the Top policy always applies to ALL Outgoing computers.

 

I recently added a Negate Source in the first policy to see if it would allow the 'special group' of computers to pass over the first policy and have the second policy apply to them.  This may have resolved my desired policy application results?

 

If not - what could I be missing?

Thanks in advance.

 

 

 

4 REPLIES 4

L7 Applicator

Hi @catrock

 

The firewall always evaluates the policies top>down. So you need to place the more granular rule (the one with the specific source addresses) above the rule with the general access for your trust zone.

Thank you @Remo

 

My policy's are as such in the attached image.

catPturepl67.JPG

Should work as desired - yes?

 

Yes, that seems to be correct.

 

What is the less strict address object?

 

And what does the session logs show for the unexpectedly permitted traffic in the details?

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hello,

The Less_Strict_Object is a member of a Less_Strict_addy_grp that will be used to allow different secuity Profle group settings.

There is only 1 computer in this group - it is define by a single IP.  I did have the IP address (defined in the object) 'ip netmask using a CIDR (192.168.0.23/24).  I have removed the /24 from it to test further (192.168.0.23)

Specifically, I am trying to use it to allow my mac to download VMWare fusion updates that are TAR/other that I don't want other computers to be able to download.

 

BTW: the policy order still doesn't seem to be working properly.

 

  • 2647 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!