Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Fleming
Advisor

Disable verification of clean up rule - MDM - Global rules

Jump to solution

Is there a way to disable verification of a clean up rule?

I would like to have a way to have a global "OMG" policy that is super limited in access that I could apply to a CMA. The idea is this global policy is all pre rules (meaning they apply above local policy not below) that say allow x y z and then drop everything else (clean up rule here). This way everything in local policy is dropped as well.

When i go into OMG mode we reassign and deploy. When we're done with OMG mode we apply old global policy and local policy kicks back in.

Maybe there is a better way to think of it, but I'm pretty gassed at the moment. BTW none of the gateways in question are above R77.30.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Why not just do ip_p >= 1?
That should cover TCP, UDP, and pretty much anything else for that matter.

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Maybe use All_Internet instead of Any in the global rule?

John_Fleming
Advisor

I'll try that tomorrow!

Dang it.. its already tomorrow. I'll try that later today.

John_Fleming
Advisor

No dice! That being said it looks like I can do a any any ANY_Service group drop and pass a rule validation.

However it looks like there isn't an easy to say any service in the service group. I can add range objects for tcp and udp, but it seems like would have to make "other" objects for each IP protocol number.

I guess there is a way to do an inspect rule for a protocol range, just don't know the syntax at the moment.

Sounds pretty kludgy. 

PhoneBoy
Admin
Admin

Why not just do ip_p >= 1?
That should cover TCP, UDP, and pretty much anything else for that matter.

0 Kudos
John_Fleming
Advisor

yeah, I was looking at ip filter examples and thought that was a function that required a protocol number, but not so much. 

I ended up doing ip_p >= 0

And it works fine. I can deploy a drop any any Any_Protocol rule in the middle of global policy now.

One downside is everything dropped is listed as Any_Protocol (protocol/service) but I can live with that I think.

0 Kudos