Firewall Policies - Application Control - more Options for alternative action
Hello WatchGuard Team,
instead of choosing between "Use Global Action", "Allow Connection" and "Drop Connection" as Value for the Field when application does not match under application Control, i would like to have an Option like "Search next Policy".
I think this way, it would be possible to create more granular policies. Now I´m trying to limit by destination IP/FQDN to reach my goal, which seems limited in comparison. Both in combination would be an awesome Option.
Thanks in Advance
Michael
0
Sign In to comment.
Comments
Hi Michael,
The way the transparent proxy works, we must already be passing the data thru the proxy in order to detect what type of traffic it is. Resetting the connection to move it to another policy would likely break most connections rather than allow them to be moved to another policy.
The only actions that can really be taken once traffic has matched a policy are to Allow or Deny/Drop the traffic. The Block action is just Deny/Drop with an add to the blocked sites list. (You can also throttle, but this just invokes a traffic management action on that policy.)
If you're looking for a way to further limit what goes into a policy, I'd suggest looking at the custom address option inside of the TO/FROM in each policy. This allows you to set multiple conditions (like address and interface) instead of just one in that field.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policy_defn_add_new_c.html
-James Carson
WatchGuard Customer Support
Hi James,
Thank you for your response.
We now better understand the limitations of the usesd proxy technology. The suggested way to limit the from/to addresses is already used, as written above.
New policies can sometimes be slow to set up due to the restriction, as both the firewall and the DNS server logs have to be checked to get the needed IPs/FQDNs. Other providers such as Microsoft use the same servers for different services.
By restricting based on services, we could probably set up our policies more quickly and flexibly, and applications could be transparently assigned depending on group membership.
Due to the way the transparent proxy works, we will continue to set up multiple policies with additional conditions to achieve our goal while accepting a few limitations.
Greetings
Michael