The the following policy-id #10 + 22 with #22 having a VIP
config firewall policy
edit 10
set srcintf "wan1"
set dstintf "inside"
set srcaddr "MYBLACKLIST_GROUPl"
set dstaddr "all"
set action deny
set schedule "always"
set service "ALL"
set comment " BL bad known bots"
next
edit 22
set srcintf "wan1"
set dstintf "inside"
set srcaddr "all"
set dstaddr "MYVIPWEB01"
set action accept
set schedule "always"
set service "HTTP"
next
Policy #10 will NOT block traffic to a VIP without the set match-vip enable. The correct method to ensure the VIP is protected would be to change the policy
config firewall policy
edit 10
set srcintf "wan1"
set dstintf "inside"
set srcaddr "MYBLACKLIST_GROUPl"
set dstaddr "all"
set action deny
set schedule "always"
set service "ALL"
set match-vip enable <------HERE!
set comment " BL bad known bots"
next
edit 22
set srcintf "wan1"
set dstintf "inside"
set srcaddr "all"
set dstaddr "MYVIPWEB01"
set action accept
set schedule "always"
set service "HTTP"
next
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
10x!
ReplyDeleteGood one
10x!
ReplyDeleteGood one