Purpose of a group firewall rulex

Hey,

Firewall groups are given for the admin's convenience as admins can group the rules for a similar purpose or source or destination etc.. 

XG follows a top-down approach when it comes to matching the traffic against the firewall rules. Firewall rules added in the group don't have any influence over the ones which aren’t. 

Whichever rule is matched first (from top to bottom) will be applicable for that specific traffic.

Hello,

I understood the top-down principle, only not in connection with the group and the rule within it.

Could you please explain it differently again?

Show us the DHCP Mapping. 

The IP 172.16.100.17 that is the controller2. Controller1 is below, so I didn't include it in the screenshot.

I checked the MAC addresses, the client address is also correct, I was on the web server with the IP address and can also see the client's MAC address. It should be the right client.

Check your Zone.

In Firewall you used Zone WIFI, the DHCP Server is Zone LAN. Change the Zone to LAN. 

Zones are still a filter, which will be used to match. 

Hi,

the source and destination networks are the same, do you have a hairpin NAT for this rule?

Also your SIP rule looks a little odd.

Ia

ok, thats it. That was the problem. I have changed the zone from sorufe Wifi to source LAN.

Ok why is that so. My thought was completely wrong. I thought, because there are WiFi devices, I also have to turn on the WiFi zone. What nonsense of me.

It remains physically but everything on LAN level and the zones are only to be filtered in advance for the services.

Is my statement correct ??? If not please correct.

What do you mean exactly ?

Zones are in principle defined by the interface. Each and every interface has to be mapped to a Zone. If you create a physical or logical interface, the firewall ask you "what zone is this?". This is to be easily able to create firewall rules.

As you can define a interface as LAN (192.168.1.0/24), you can create a firewall rule LAN to WAN, which cover LAN (All interfaces in LAN Zone) to all Internet based Interfaces (WAN). It removes the need of defining network objects for each interface or knowing the IPs etc. 

What is the hairpin for NAT ? Sorry :-)

Mhhh, sorry that I asked stupid. Network technology is not easy.

But that doesn't replace the NAT rule, does it?

Unfortunately, I didn't quite understand that. Sorry :-)

XG is a Zone based Firewall. Zones are not in any relation to NAT. 

zones are like the predefined network objects, you know of UTM9. UTM9 creates 3 objects per Interface, you create. Zones are like that just with a summary option. You can have per interface one individual zone. Or you can include 4000 Interfaces within one zone. There are pre defined zones like LAN or WIFI. But one interface can only be in one Zone. It does not separate the clients within one zone. It simply categorize the interfaces into zones. 

XG is a Zone based Firewall. Zones are not in any relation to NAT. 

zones are like the predefined network objects, you know of UTM9. UTM9 creates 3 objects per Interface, you create. Zones are like that just with a summary option. You can have per interface one individual zone. Or you can include 4000 Interfaces within one zone. There are pre defined zones like LAN or WIFI. But one interface can only be in one Zone. It does not separate the clients within one zone. It simply categorize the interfaces into zones. 

Ok, I'll try to remember that.

It looks kind of strange to me the zone principle.

It looks to me that only pre-defined services are possible in this zone.

Somehow I don't get along with the zone principle.

Is one set up a new thread.

Thank you very much for the great support, but always remember that the user-friendliness in the XG still needs to be improved, in my opinion :-), but that's another topic.

Thank you again for the good support from you. I've learned a little about it.

Greetings and thanks

The point is: Zone, user based firewall etc. is not invented by Sophos. It is a concept of next generation firewalls. Other vendors do the same. So its not about user friendliness, more likely your background with other products. Somebody coming from UTM (stateful firewall with attached modules) can get confused about this kind of interaction, but luckly, XG can do the same like UTM, if you want.