Thank you for your answer.
I understand that I have to define explicit rules for any traffic in strict mode, but I don't understand the basic concept.
You said, we have to put and outgoing and a incoming rule for the unecrypted traffic(which makes sense in strict mode).
But in which section do I have to put my rules?
If we don't use the application control, we just use incoming and outgoing rules in the "Incoming, Internal and VPN traffic" section and it's working correctly. As soon we activate the application control, we have to add rules in the "Outgoing access to the Internet" to allow the outgoing (vpn) traffic.
We would like to activate application control only for outgoing Internet traffic and not for vpn traffic, is there any possibility to implement this?
I also don't understand the traffic flow.
How exactly does it work with the different firewall blades, is the following sequence correct?
Outgoing:
1.) Firewall blade(unecrypted traffic)
2.) Application control(unecrypted traffic)
3.) VPN blade(encrypts the traffic)
Incoming:
1.) VPN blade(decrypts the traffic)
2.) Firewall blade(unecrypred traffic)
3.) Application control(unecrypred traffic)
Maybe we can discuss this with a little example:
I've got two networks connected via Site-to-Site VPN tunnel.
network local: 192.168.1.0/24 network remote: 10.0.0.0/24
I like to allow any traffic between the local and the remote traffic.
In addition packets which are destinated to the Internet should be checked by the application control.
Where and how do I have to put my rules that have following behaviour work propely:
This has to work:
- SSH session from 192.168.1.10 to 10.0.0.10
- RDP session from 192.168.1.20 to 10.0.0.20
This mustn't work:
- RDP session from 192.168.1.10 to 88.88.88.88
- client connection to www.virus-downloader.ru
I hope you understand, what we want to achieve.