Exclude one internal IP from all checks


little question, is there a simple solution to temporarily exclude one internal ip (one computer) to absolutely all cheks (packet rules, policy etc...)?
without having to create exceptions in each packet rules/proxy?

the idea would be to have a "rule" that I could activate on demand to bypass anything that might slow down or block outgoing traffic (for ALL protocols, not only TCP and UDP) , so I could run tests as if my computer were connected directly to the isp router, without going through the firebox.
(of course, the hardware limitations imposed by the firebox still remain).

for example, to test the "real" speed of the isp's box without the speed limitations caused by the firebox's antivirus scan, or testing VPN (GRE protocols & co).

I thought of something like putting an unused interface in dmz, and using a vlan to connect my pc to this dmz, but it's not the easiest thing to do :)

my main problem is that it's a remote site, and I'd like to avoid having to move every time I need to check that a problem isn't caused by a firebox setting by bypassing it.

Ideas? :)



  • Add an Any packet filter, From: the desired IP addr To: Any-external, and have that policy at the top of your policy list.
    You can disable that policy when not needed, and change the source IP addr as needed.

  • ok, i'm silly :)
    I'd tried a rule like this, but it didn't work, as I'd forgotten to change the policy order list.
    of course it works much better with the rule at the top of the list :D
    Thanks Bruce!

Sign In to comment.