Create a Post
Showing results for 
Search instead for 
Did you mean: 

Building smarter policies?

I was trying to see if I can build smarter policies by nesting them.

This works:

You must be carefull to assign the zones correctly to all interfaces on you firewall(s) or you will be in a heap of trouble.

Not sure if it is the smartest way to do it.

0 Kudos
3 Replies

What does not work is trying to nest VPN if they contain Remote Access VPN domains.

As the error explains:

But you can do this Site-to-Site VPN's:

That might make some sense.

Will it also make processing faster of a nested policy?

0 Kudos

Looks pretty good to me.

Just out of curiosity, why are you using those 2 additional clean up rules without log? I usually log everything except for some specific internal traffic so I can have accurate statistics.

About the verification error: Some rules with specific objects must be placed on the first layer, but I didn't know remote access was one of them. You will not gain much in performance by using an inline layer with only 2 rules.

0 Kudos


There is traffic hitting the firewall that I don't care about. Like the probing done from myown ISP for one. And the various probes done by Shodan as another example.

0 Kudos