Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hugo_vd_Kooij
Advisor

Building smarter policies?

I was trying to see if I can build smarter policies by nesting them.

This works:

You must be carefull to assign the zones correctly to all interfaces on you firewall(s) or you will be in a heap of trouble.

Not sure if it is the smartest way to do it.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
3 Replies
Hugo_vd_Kooij
Advisor

What does not work is trying to nest VPN if they contain Remote Access VPN domains.

As the error explains:

But you can do this Site-to-Site VPN's:

That might make some sense.

Will it also make processing faster of a nested policy?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Pedro_Espindola
Advisor

Looks pretty good to me.

Just out of curiosity, why are you using those 2 additional clean up rules without log? I usually log everything except for some specific internal traffic so I can have accurate statistics.

About the verification error: Some rules with specific objects must be placed on the first layer, but I didn't know remote access was one of them. You will not gain much in performance by using an inline layer with only 2 rules.

0 Kudos
Hugo_vd_Kooij
Advisor

Pedro,

There is traffic hitting the firewall that I don't care about. Like the probing done from myown ISP for one. And the various probes done by Shodan as another example.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events