Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KeonNg
Participant

How to restrict specific rules traffic from Network Policy Layer to inspect by the Next Policy Layer

Hi All,

 

I was wondering is there any way we restrict only http/https traffic from the first layer to move to next policy layer instead of allowing all the accept rules from the first policy layer to go through the next layer policies. The intention we want to separate it out different layer with different blade inspection. 

 

The scenario:

Example Traffic: Internal Users < https (443) > Internet (facebook.com) 

1. Network Layer (Firewall only) = Only for normal network rules

2. URL Filtering Layer (URL Filtering & Application Control Only) = Only for http & https traffic that allow from network layer to this layer to perform URL Filtering Inspection

 

This is because we don't want all traffic that is hit and allow from Network Layer will to go next policy layer if it is not http/https traffic. Because of this, we must create any any allow to the cleanup rule on the second layer policies otherwise even the traffic is accepted by the first layer it will drop at second layer on clean up rule. Therefore, we only just want those http/https traffic affter being allowed from network policy layer will move to next layer to perform URL filtering & Application Control Inspection. 

 

I do select the first layer with firewall blade only and the second policy layer with application & URL filtering blade only but still the second layer policies will be restricted by firewall blade. Please refer to the images.

 

Best Regards

Keon

 

 

 

 

0 Kudos
4 Replies
emmap
Employee
Employee

There is no mechanism for this in ordered layers. Generally though your Application layer would would be configured as implied accept on it to save you the need for a general cleanup rule. This way you only need to worry about allowing/blocking internet traffic and anything else is silently accepted after being accepted on the Network layer.

Alternatively look at using Inline layers instead of Ordered layers.

0 Kudos
JP_Rex
Collaborator
Collaborator

Images missing

Regards

Peter

0 Kudos
KeonNg
Participant

Hi Peter,

 

You may find the images again on the top. 

 

Best Regards,

Keon

0 Kudos
PhoneBoy
Admin
Admin

To do this with ordered layers, create another ordered layer before your Application layer that only accepts http and https traffic, blocking everything else.
Or use an inline layer to do the same thing with http/https in the top level rule.
Here's an example of what that might look like.

image.png

To create the inline layer:

image.png

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events