LAN to LAN block

Wonder if the device access is overriding your rule.

What he hasn't said is where the rule is in the rule order list?

Ian

I have tried putting the rule above and below LAN <> WAN and no difference in all cases able to ping 10.10.10.1 from 172.16.16.17 

10.10.10.1 is XG's interface.

XG's interface belong Local zone, not LAN zone.

If you allow ping of LAN zone in device access, you will able to ping the XG's interface IP 10.10.10.1 from LAN.

But not allow to ping other IP in 10.10.10.0/24, since you block the LAN to LAN (10.10.10.0/24) in firewall rule.

Thats was my next layer of thinking. If I put a device on the 10.10.10.0 address this should not be pingable. 

Behind this I have a Ubquiti network which I have not connected (looking to disable NAT in next version). What I want to make sure is that users on a particular VLAN cannot access the Sophos interface or network associated with it which is why I am asking the question

Thats was my next layer of thinking. If I put a device on the 10.10.10.0 address this should not be pingable. 

Behind this I have a Ubquiti network which I have not connected (looking to disable NAT in next version). What I want to make sure is that users on a particular VLAN cannot access the Sophos interface or network associated with it which is why I am asking the question

You may set the Port3 to another zone.

So that you can control if the zone can access XG.

I can see more testing coming on

That worked I put a Pi on the 10. 10.10.0 network and the rule blocked it. Thanks