Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
B_P
Advisor
Jump to solution

"Internet" object != Internet?

R80.10 - I have a single policy that has the Firewall and App & URL Filtering blades enabled on it. In that policy I have a rule that says Allow for destination Internet. My Internet-bound traffic is blocked by my cleanup rule. What am I missing here?

p.s. I'm not asking how to allow internet access.. I've seen that post and I can make it work with other methods. I'm trying to understand how CP is processing the rules here.

1 Solution

Accepted Solutions
B_P
Advisor

I figured it out -- the App / URL blades were, in fact, not enabled.

So if you don't have them enabled and create a unified policy -- you can install said policy, but the rules will essentially be ignored without any indication that they are being ignored. Surprised, not surprised.

View solution in original post

9 Replies
Kyle_Danielson
Employee
Employee

The Internet object in the Application Control & URL Filtering policy actually only applies to traffic that's leaving an interface marked as external.

I would check the topology settings on the Gateway object and make sure your interface-facing interface is marked external.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Traffic going to DMZ networks that have the checkbox "leads to DMZ" checked will also match object "Internet" in a APCL/URLF layer.  This was covered extensively in my book, see:

sk102675: When using "Internet" object as destination in Application Control rule to block an applic...

sk108057: What does the box "Interface leads to DMZ" control in interface topology?

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
B_P
Advisor

My internet-facing interface was already marked external. There is no DMZ.

B_P
Advisor

Any other ideas?

Tomer_Sole
Mentor
Mentor

- would you mind printing the gateway editor --> network management --> "eth0" interface properties? does its editor mention "leads to internet"?

- if this is an R80.10 gateway, the "more" part in the log card contains the source zone. If the zone is not External, that would be the root cause of the match on the cleanup rule.

hope this helps.

0 Kudos
B_P
Advisor

eth0 - "This network" - Management LAN

eth1 - "External" - Public WAN

eth2 - DefinedNetworkGroup - Various Private LANs

eth3 - "This network" - End-user LAN

There is nothing about zone in the log -- just ID, ID Generated By Indexer, First, Sequencenum, Db Tag, Logid, Description.

0 Kudos
B_P
Advisor

I figured it out -- the App / URL blades were, in fact, not enabled.

So if you don't have them enabled and create a unified policy -- you can install said policy, but the rules will essentially be ignored without any indication that they are being ignored. Surprised, not surprised.

Tomer_Sole
Mentor
Mentor

You're going to get a warning, not an error, during install policy. We have plans to emphasize this in later releases.

0 Kudos
B_P
Advisor

I wish I got a warning. All I get it is a green check mark:

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events