Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 589 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Central managed firewall rules all with "Do not apply this migrated rule to system-destined traffic" activated option

AlexanderPoettinger

We are creating firewall rules on Central for a series of firewalls.

All the firewalls in the group are brand new XGS running 18.5.1-326

Still in every firewall rule we create in Central , there is the activated option "Do not apply this migrated rule to system-destined traffic", that cannot be deactivated.

On the firewalls themselves, this option is not beeing replicated

Still I would like to understand the reason and impact of this activated option in Central



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Check out the below recommended-read to understand more info on 'non-editable checkbox on migrated firewall rules that says "Do not apply this migrated rule to system-destined traffic'.

    Understanding New decoupled NAT and firewall changes in v18 - Recommended Reads

    ======================================================================

    4) After upgrading to v18, I see a non-editable checkbox on migrated firewall rules that says "Do not apply this migrated rule to system-destined traffic". Why it is there?

    This is to retain the rule matching behavior of v17.x even though we have removed Business application rule type.

    In SFOS 17.x and earlier, although business application rules and user-network rules were listed in a single rule table, XG Firewall evaluated these rule types independently to find matching criteria. For system-destined traffic (example: accessing XG Firewall services) and incoming traffic (example: to internal servers) that matches a destination NAT business application rule, it ignored user-network rules and matched the traffic with business application rules.

    From v18, XG Firewall has removed the distinction between business application and user-network rules. It now offers both as firewall rules. To ensure that the consolidation does not affect the rule-matching behavior of earlier versions, it will continue to ignore migrated user-network rules positioned above migrated business application rules for system-destined traffic and incoming traffic.

    This is a read-only checkbox in the firewall rule that tells system to retain rule matching behavior of v17.x even after migrating onto v18.

Reply Children
No Data