Monday, February 1, 2016

This is a reminder for the set match-vip enable. If you ever deide to build BL entries and have VIP this feature is easily missed and unexpect traffic will hit the vip if you don't have the set match-vip enable on the regular policy(s)

The the following policy-id #10 + 22 with  #22 having a VIP

 config firewall policy
    edit 10
        set srcintf "wan1"
        set dstintf "inside"
        set srcaddr "MYBLACKLIST_GROUPl"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"
        set comment " BL bad known bots"
    next
    edit 22  
        set srcintf "wan1"
        set dstintf "inside"
        set srcaddr "all"
        set dstaddr "MYVIPWEB01"
        set action accept
        set schedule "always"
        set service "HTTP"
    next


Policy #10 will NOT block traffic to a VIP without the set match-vip enable. The correct method to ensure the VIP is protected would be  to change the policy


 config firewall policy
    edit 10
        set srcintf "wan1"
        set dstintf "inside"
        set srcaddr "MYBLACKLIST_GROUPl"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"

        set match-vip enable     <------HERE!
        set comment " BL bad known bots"
    next
    edit 22  
        set srcintf "wan1"
        set dstintf "inside"
        set srcaddr "all"
        set dstaddr "MYVIPWEB01"
        set action accept
        set schedule "always"
        set service "HTTP"
    next



This is a command that's only available from the cli and not the webGUI.




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

2 comments: