Rules and BOVPN Priority

I haven't implemented this yet as I am just thinking it out for now. I want to deny Internet access for everything above a certain IP address, let's say .100 and higher. But these same IPs should still have access via BOVPNs (incoming and outgoing).

My thoughts are that there would be a rule to deny them to the Internet, but that rule would be below the BOVPN rules because if they are above, then they will also block BOVPN access, correct?

Thank you for any feedbak!

Comments

  • For non-Virtual BOVPNs, the BOVPN allow policy is essentially for the private subnets at the other end of the BOVPN, so I would not expect that a Deny to Any-external would block this traffic.
    I believe that the same is true for Virtual BOVPNs.
    However, having the BOVPN allow policies above the deny should guarantee the access.

  • Thank you very much as always. Good to know about the BOVPN allow policy. I'll try it as I originally explained it and expect to have no issues. :) Thank you again.

  • So I set up a rule as a test that would block all traffic from a particular IP address to Any External interface. But what seems to happen is that it is denying access from Internal and Trusted interfaces as well. The policy rule is above the default outgoing rule that allows anything. Not sure what I did wrong here. Would love some insight or thoughts.

  • please post a sample deny message from Traffic Monitor

  • So this is getting weird. Now the same rule set up the same way is allowing internal traffic, even to external--and nothing about this IP shows up in traffic monitor. Rule is as follows: Enabled, Connections Denied, From IP address to External1 and External2 (both individually specified, and the only configured external interfaces). When I ping from the IP address out to 8.8.8.8, it works fine. Pinging to other external IPs also works. I don't get it. And now there is no problem accessing the device via Internal and Trusted interfaces.

  • Maybe I should back up and ask how the following rule should be implemented--block any external requests from a single internal ip address, but allow internal traffic. I thought I had it set up correctly, but I'm beginning to doubt everything now.

  • Do you have a ping policy near the top of your policy list?

  • I never got notifications to this thread, but wanted to update since it will probably help someone else. Yes, I had a ping policy near the top of the list, so when using ping to see if a device is blocked or not, pings would go through. The reality is that the IP was blocked from all other traffic and was working properly. Thank you Bruce! You were on the right track!

Sign In to comment.