Wireless Access

I was recently told something that I can't find any documentation to support.

 

Let's imagine the following scenario, a role with 2 firewall policies.  Let's assume they are on the role in the orderlisted here

 

I'm going to keep this very conceptual, as my question is conceptual:

 

user-role: salesguy

-firewall policy "salesforce.com"

-firewall policy "linkedin.com"

 

the details of each policy are as follows:

 

the firewall policy "salesforce.com"

permits user to go to salesforce.com 

that's it, implicit deny all

 

the firewall policy "linkedin.com" 

permits user to go to linkedin.com

that's it, implicity deny all

 

When packets are evaluated sent by the user with this role -

if user is going to salesforce.com - we'll have a rule match, however, before permitting, it will then go to the 2nd policy.

Since the 2nd policy does not have an implicit permit for salesforce.com - the implicit deny all at the end catches it.

 

Basically what I'm being told is if you are 'stacking' policies any permit statements must be in all policies stacked.  When a match for a permit statement hits, it then rolls to the next policy and continues to evaluate the packet.

 

according to what i'm told in order to effect access to both sites I would need:

 

the firewall policy "salesforce.com"

permits user to go to salesforce.com 

that's it, implicit deny all

 

the firewall policy "linkedin.com" 

permits user to go to linkedin.com

permits user to go to salesforce.com

that's it, implicity deny all

 

I struggle with the logic of this.  I asked for some clarity and confirmation and I recieved confirmation that I understood what I was being told.

 

However, I can't find any documentation to back that up.  Can anyone confirm?  Secondly can you link to supporting documentation?

 

Thanks for dealing with my very conceptual outline.

 

Ray

No, you can put multiple firewall policies in a user-role and an implicit deny all is apply at the bottom of the user role policy list. It is not per policy/session ACL when applied to a user role.

Thanks very much for your reply.  I suspected as much.  Otherwise all subsequen policies would need to include all permit statements from higher level policies, which just becomes silly.  

 

However, for the sake of what I'm working on - you wouldn't happen to know a document that explicitly supported what you are saying?  I can't find one bit in the UG that supports any statement about multiple policy rule evaluation.

 

Ray

I don't have a document but I can guarantee you this is how it works. I don't think it's documented anywhere.

 

The sample roles in the UG simply would not work as they are described to work were this not the case.  Would be nicer had it been explicitly stated but that should be good enough to prove it.

 

Note there is a two-stage evaluation procedure at work when apprf dpi ("application") rules are in effect, and it's worth knowing about.  See the "configuring Policies for AppRF 2.0" section.  Though, I'm working from the 6.4 manuals so I'm not sure how much that changed since 6.3.

 

 

 

As cappalli said, basically if you have no policies in your role, then it is an implicit denyall.

 

So if you put some rules in there, they are evaluated top down and if there is no match, then it hits that implicit deny.