Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 12859 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules based on User Group Networks not working after upgrading to 9.501-5

DanielCosta

Our system have one firewall rule that allows a group to access any services on internet. The group is correctly configured with my user. This rule is not working since upgrading to 9.501-5 last friday.

If I add individual users in the firewall rule, I can successfully access all services.

I've already tried creating another group and adding it to the rule but it didn't work. I've tried with other users in the group as well. 

We use the authentication agent on the clients to log in. Other rules based on the groups are working (e.g on the web filter).

I've attached some screens of the admin panel.

 



This thread was automatically locked due to age.
Parents
  • 0

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those above, and explain where the target IP is and what it is.

    Please explain what you do to get the "(User Network)" object to be populated with an IP - are they logging in to a VPN?

    Cheers - Bob

  • 0 in reply to BAlfson

    Aditionally, I've managed to capture the iptables rules regarding the firewall rules in webadmin. In this case, I've added my user to the firewall rule, allowing everything. It works. But it should also work if matching 4_NetAaaTiUserGroup.

    Chain USR_FORWARD (1 references)
    target prot opt source destination
    LOGACCEPT all -- anywhere anywhere match-set 4_NetAaaTiUserGroup src LOGMARK match 1
    LOGACCEPT all -- anywhere anywhere match-set 4_NetAaaDanieUserNetwo src LOGMARK match 1
Reply
  • 0 in reply to BAlfson

    Aditionally, I've managed to capture the iptables rules regarding the firewall rules in webadmin. In this case, I've added my user to the firewall rule, allowing everything. It works. But it should also work if matching 4_NetAaaTiUserGroup.

    Chain USR_FORWARD (1 references)
    target prot opt source destination
    LOGACCEPT all -- anywhere anywhere match-set 4_NetAaaTiUserGroup src LOGMARK match 1
    LOGACCEPT all -- anywhere anywhere match-set 4_NetAaaDanieUserNetwo src LOGMARK match 1
Children
No Data