policy set up

XYLITOLXYLITOL
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hello.

I have a firewall policy set up for ↓.
My assumption is that all traffic flows through policy 2 (Primary WAN), but it is also flowing through policy 3 (Any-Out).
Please let me know the cause.

policy

1.Secondary WAN
From:Any-Trusted,Trusted
To:FQDN
SD-WAN Action Interface:Optional-4

2.Primary WAN
From:Any-Trusted,Trust
To:Any-Untrusted,Untrust
SD-WAN Action Interface: Untrust

3.Any-Out
From:Any-Trusted,Trust
To:Any-Untrusted,Untrust,Optional-4

Alias

LAN:Any-Trusted,Trust
WAN1:Any-Untrusted,Untrust
WAN2:Optional-4

The actual log displayed in the traffic monitor is shown below.
Allow 192.168.10.15 172.65.212.243 HTTP Protocol over TLS SSL 53897 443 Trust Optional-4 Application identified 40 56 (Any-out-00)
Allow 192.168.10.15 35.186.224.24 unknown 61921 443 Trust Optional-4 Application identified 1278 126 (Any-out-00)
Allow 192.168.10.22 23.246.47.164 Netflix 52877 443 Trust Optional-4 Application identified 1420 126 (Any-out-00)
Allow 192.168.10.22 142.251.42.170 Google APIs(SSL) 52850 443 Trust Optional-4 Application identified 422 126 (Any-out-00)

Comments

  • Bruce_BriggsBruce_Briggs

    As I said in an earlier post - you need to specify Any-external instead of a specific WAN interface on an outgoing policy when using Multi-WAN. Otherwise unexpected routing occurs, such as you are seeing.

    On policy 2, replace "To:Any-Untrusted,Untrust" with "To:Any-external" and review the results.

  • XYLITOLXYLITOL

    On policy 2, replace “To:Any-Untrusted,Untrusted” with “To:Any-external” and review the results. I guess I need to change the alias “Untrust” to “external” first.

  • Bruce_BriggsBruce_Briggs

    Not needed.
    Try what I recommended

  • XYLITOLXYLITOL

    Thank you!
    I changed the policy as you recommended and it works fine.
    What interface are you referring to by Any-External, I was under the impression that External specified two lines.

  • Bruce_BriggsBruce_Briggs

    Any-External is a predefined alias.
    You can select it in the To: field

    Review this:
    About Aliases
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/aliases_about_c.html

  • Bruce_BriggsBruce_Briggs
    edited November 26

    The Any-external etc. predefined aliases were introduced in V8.0.
    Discussion at the time, on the long gone user forum at that time, from members of the WG staff, recommended using Any-external etc. instead of the older External etc. aliases because it was thought to be more clear that the new alias would include all interfaces for that type.

    You will see the Any- aliases used in the policies set up on a new firewall, instead of the one without the Any- prefix.

Sign In to comment.