Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 555 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules hierarchy. How do they work?

Andrea Santini

Hello, I don't understand how the firewall rules hierarchy works. I have created a web filtering rule that works well. Then I added another rule to restrict access to Facebook. If the Facebook rule is placed before the web filtering one, the Facebook rule works and vice versa. They don't work at the same time. How can I solve? Thank you.



This thread was automatically locked due to age.
Parents
  • 0

    The rule hierarchy works as any L3-L4 Firewall, the firewall will always match the Source/Destination Zone/IP/Port then apply the L7 features such as web filtering and application control.

    To explain what happened in your setup, when you created a secondary rule to restrict access to Facebook in the top of the older web filtering, any traffic that matched that Destination IP/Port went over that rule (Rule on top), which means - since it probably had WAN/ANY as destination - all traffic went over the same web filtering policy.

    In your case, if you want to apply multiple web filtering over a single user or network, you will need to do this either though a single firewall rule, or create two separate firewall rules with different IP/Port destinations.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Reply
  • 0

    The rule hierarchy works as any L3-L4 Firewall, the firewall will always match the Source/Destination Zone/IP/Port then apply the L7 features such as web filtering and application control.

    To explain what happened in your setup, when you created a secondary rule to restrict access to Facebook in the top of the older web filtering, any traffic that matched that Destination IP/Port went over that rule (Rule on top), which means - since it probably had WAN/ANY as destination - all traffic went over the same web filtering policy.

    In your case, if you want to apply multiple web filtering over a single user or network, you will need to do this either though a single firewall rule, or create two separate firewall rules with different IP/Port destinations.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?