Building smarter policies?

Hugo_vd_Kooij · ‎2017-10-06

I was trying to see if I can build smarter policies by nesting them.

This works:

You must be carefull to assign the zones correctly to all interfaces on you firewall(s) or you will be in a heap of trouble.

Not sure if it is the smartest way to do it.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

Hugo_vd_Kooij · ‎2017-10-06

What does not work is trying to nest VPN if they contain Remote Access VPN domains.

As the error explains:

But you can do this Site-to-Site VPN's:

That might make some sense.

Will it also make processing faster of a nested policy?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

Pedro_Espindola · ‎2017-10-06

Looks pretty good to me.

Just out of curiosity, why are you using those 2 additional clean up rules without log? I usually log everything except for some specific internal traffic so I can have accurate statistics.

About the verification error: Some rules with specific objects must be placed on the first layer, but I didn't know remote access was one of them. You will not gain much in performance by using an inline layer with only 2 rules.

Hugo_vd_Kooij · ‎2017-10-09

Pedro,

There is traffic hitting the firewall that I don't care about. Like the probing done from myown ISP for one. And the various probes done by Shodan as another example.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

Are you a member of CheckMates?

Building smarter policies?