Firewall Rules within Firewall Rules

As an MSP, it's quite annoying to have to make two independent rules, instead of being able to make firewall rules, inside another FW rule. Would be able to cleanup the FW rule per customer, etc.

Ie, Could have FW Rule 1, then 1A, 1B, 1C, 1D and things are evalulated top down like

1A
1B
1C
1D

2A
3
4
5A
5B

Maybe make it possible where secondary rules inside a primary rule only apply to the the main rule, so a deny all perhaps at 1D doesn't impact rules under 2

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Morse
    If you're looking for a way to better organize policies, I'd suggest using policy tagging, which allows you to tag and color code the policies.

    This is (mostly) possible in some cases via policies like the TCP/UDP proxy. However what you're suggesting is basically a complete overhaul of how the policies work. WatchGuard is moving in the direction of how they're managed in the cloud (First run, core, and last run.) If you haven't already checked out cloud management, I'd suggest looking at it, potentially via one of your NFR appliances.

    -James Carson
    WatchGuard Customer Support

  • @james.carson said:
    Hi @Morse
    If you're looking for a way to better organize policies, I'd suggest using policy tagging, which allows you to tag and color code the policies.

    This is (mostly) possible in some cases via policies like the TCP/UDP proxy. However what you're suggesting is basically a complete overhaul of how the policies work. WatchGuard is moving in the direction of how they're managed in the cloud (First run, core, and last run.) If you haven't already checked out cloud management, I'd suggest looking at it, potentially via one of your NFR appliances.

    I like how current policies work... LOL the easiest thing for this case would be to consolidate the Proxies to the TCP-UDP Proxy. I've began switching to that myself and it helps consolidate a lot of rules while keeping Auto-Order mode in tacked so that policies aren't in the wrong place. The onlything that proxy doesn't do is DNS-Proxy (which I like to use so I can log DNS queries :P ).

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Tristan.Colo
    Watch doing this, as TCP/UDP proxy does use more CPU than the standard proxies. It honestly depends on the amount of traffic that is traversing them and what resources the firewall has available. Under most circumstances it won't matter -- but under some it'll be enough to cause performance issues.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.