Policies - Security - Rule shadowed by 2nd rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policies - Security - Rule shadowed by 2nd rule

Not applicable

Much like an access list on a cisco router top to bottom. I recently created 2 rules for our 3rd party ISP to connect internet sticks via our firewall.

1st rule - Allow all traffic via TELUS internet sticks from Trust Vpn, Source (telus), Destination (Any), Actions (Allow), No profile type.

2nd rule - Deny all traffic via TELUS internet sticks from Trust Vpn, Source (telus), Destination (Any), Actions (Deny)  Profiles Type "Profile", URL Filtering (VPN use only) which has allowed sites and blocked sites that I created.

However, when I commit the rules, I get an message "Security Policy: Rule Telus Internet Allowed urls" shadows rule "Telus Internet disallowed urls".

I'm not certain which to change. Any ideas?

Rob

1 REPLY 1

L6 Presenter

What about this?

1)

srczone: Trust VPN

srcip: telus

dstzone: any

dstip: any

profile: URL Filtering (VPN use only)

options: log on session end

action: allow

2)

srczone: any

srcip: any

dstzone: any

dstip: any

profile: none

options: log on session end

action: deny

The thing is that your "allow" (which you see in the security policy) is based on ip header while url filtering profile takes care of what you will allow/block based on url.

However, if I recall correctly, another method is to only have allowed urls in your URL filter profile and let the default deny in the bottom take care of the blocking.

Like so:

1)

srczone: Trust VPN

srcip: telus

dstzone: any

dstip: any

profile: URL Filtering (Allowed for VPN)

options: log on session end

action: allow

2)

srczone: any

srcip: any

dstzone: any

dstip: any

profile: none

options: log on session end

action: deny

  • 2268 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!