Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Source/destination fields can contain both zones and IP addresses in the same cell.
Service field can contain both "services" (mostly port-based with handlers for some of them), and "applications" (which use Layer 7 signatures).
However, these are treated as "or" and not "and" as you seem to be suggesting you need.

If you're trying to match zone AND IP as part of a source/destination (meaning traffic must match both zone and IP), you will need to break it into two rules and use Inline Layers similar to:

image.png

In the main policy, Rule 3 matches if the source/destination zones are InternalZone and ExternalZone respectively.
If this rule does not match, the 3.x rules are skipped.
If this rule matches, then the subrules apply (for example 3.1 allows traffic between test and test2 and 3.2 blocks all other traffic from Internal Zone to External Zone).

To add an Inline Layer, change the action to Inline Layer and select the relevant blade(s) that will be active on that inline layer.

There are a couple limits on policy layers: can't push them gateway versions prior to R80 and you can have a total of 251 layers in an Access Policy.

(1)
Who rated this post