This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Hugo_vd_Kooij
Advisor
‎2017-10-06 04:09 AM

Building smarter policies?

I was trying to see if I can build smarter policies by nesting them.

This works:

You must be carefull to assign the zones correctly to all interfaces on you firewall(s) or you will be in a heap of trouble.

Not sure if it is the smartest way to do it.

0 Kudos
Reply
3 Replies
Hugo_vd_Kooij
Advisor
‎2017-10-06 04:42 AM

What does not work is trying to nest VPN if they contain Remote Access VPN domains.

As the error explains:

But you can do this Site-to-Site VPN's:

That might make some sense.

Will it also make processing faster of a nested policy?

0 Kudos
Reply
Pedro_Espindola
Advisor
‎2017-10-06 07:54 AM

Looks pretty good to me.

Just out of curiosity, why are you using those 2 additional clean up rules without log? I usually log everything except for some specific internal traffic so I can have accurate statistics.

About the verification error: Some rules with specific objects must be placed on the first layer, but I didn't know remote access was one of them. You will not gain much in performance by using an inline layer with only 2 rules.

0 Kudos
Reply
Hugo_vd_Kooij
Advisor
‎2017-10-09 12:39 AM
In response to Pedro_Espindola

Pedro,

There is traffic hitting the firewall that I don't care about. Like the probing done from myown ISP for one. And the various probes done by Shodan as another example.

0 Kudos
Reply