- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Building smarter policies?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Building smarter policies?
I was trying to see if I can build smarter policies by nesting them.
This works:
You must be carefull to assign the zones correctly to all interfaces on you firewall(s) or you will be in a heap of trouble.
Not sure if it is the smartest way to do it.
- Tags:
- policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does not work is trying to nest VPN if they contain Remote Access VPN domains.
As the error explains:
But you can do this Site-to-Site VPN's:
That might make some sense.
Will it also make processing faster of a nested policy?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks pretty good to me.
Just out of curiosity, why are you using those 2 additional clean up rules without log? I usually log everything except for some specific internal traffic so I can have accurate statistics.
About the verification error: Some rules with specific objects must be placed on the first layer, but I didn't know remote access was one of them. You will not gain much in performance by using an inline layer with only 2 rules.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pedro,
There is traffic hitting the firewall that I don't care about. Like the probing done from myown ISP for one. And the various probes done by Shodan as another example.
