This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Automatic Firewall Rules take Precedence?

I have a site to site IPSEC VPN setup with automtic firewall rules enabled.. Each site has a single /24 subnet.

I have a few servers in site A that cannot talk to a few servers in site B. I setup the new firewall rules (position 1 on each side) to drop the traffic yet they can still talk to each other.. shouldn't drop rule always win?

This thread was automatically locked due to age.

Parents

0 BAlfson over 12 years ago

tuscani, it's part of what I call Rule #2:
In general, a packet arriving at an interface is handled only by one of the following, in order:
DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 12 years ago

tuscani, it's part of what I call Rule #2:
In general, a packet arriving at an interface is handled only by one of the following, in order:
DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 tuscani over 12 years ago in reply to BAlfson

Makes sense.. ASG is the first firewall I have worked with where a deny didn't always trump everything else.. [:)]

What's funny is the person who set these up originally have auto rules enabled but then still took the extra work to manual create dozens of rules.. lol

Would be nice if you could see what rules are created automatically though.. did I hear a rumor that this is coming in 9.1?
Cancel
Vote Up 0 Vote Down

Cancel