Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 2763 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Automatic Firewall Rules take Precedence?

tuscani
I have a site to site IPSEC VPN setup with automtic firewall rules enabled.. Each site has a single /24 subnet.

I have a few servers in site A that cannot talk to a few servers in site B. I setup the new firewall rules (position 1 on each side) to drop the traffic yet they can still talk to each other.. shouldn't drop rule always win?


This thread was automatically locked due to age.
  • 0
    Hi, automatic rules have priority... You'll need to disable them and manually create rules for the traffic to be allowed (below your drop rules).

    Barry
  • 0 in reply to BarryG
    Hi, automatic rules have priority... You'll need to disable them and manually create rules for the traffic to be allowed (below your drop rules).

    Barry


    Thanks , Barry.  That's what I assumed.
  • 0
    tuscani, it's part of what I call Rule #2:

    In general, a packet arriving at an interface is handled only by one of the following, in order:
    DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.



    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Makes sense.. ASG is the first firewall I have worked with where a deny didn't always trump everything else.. [:)]

    What's funny is the person who set these up originally have auto rules enabled but then still took the extra work to manual create dozens of rules.. lol

    Would be nice if you could see what rules are created automatically though.. did I hear a rumor that this is coming in 9.1?
  • 0
    Yes, the 9.1 beta supposedly shows the 'auto firewall rules' that the admin has turned on.

    I don't think rules for proxies (SMTP, Web Protection, etc.) will be shown though.

    Barry
Cookie Information Banner