I was recently told something that I can't find any documentation to support.
Let's imagine the following scenario, a role with 2 firewall policies. Let's assume they are on the role in the orderlisted here
I'm going to keep this very conceptual, as my question is conceptual:
user-role: salesguy
-firewall policy "salesforce.com"
-firewall policy "linkedin.com"
the details of each policy are as follows:
the firewall policy "salesforce.com"
permits user to go to salesforce.com
that's it, implicit deny all
the firewall policy "linkedin.com"
permits user to go to linkedin.com
that's it, implicity deny all
When packets are evaluated sent by the user with this role -
if user is going to salesforce.com - we'll have a rule match, however, before permitting, it will then go to the 2nd policy.
Since the 2nd policy does not have an implicit permit for salesforce.com - the implicit deny all at the end catches it.
Basically what I'm being told is if you are 'stacking' policies any permit statements must be in all policies stacked. When a match for a permit statement hits, it then rolls to the next policy and continues to evaluate the packet.
according to what i'm told in order to effect access to both sites I would need:
the firewall policy "salesforce.com"
permits user to go to salesforce.com
that's it, implicit deny all
the firewall policy "linkedin.com"
permits user to go to linkedin.com
permits user to go to salesforce.com
that's it, implicity deny all
I struggle with the logic of this. I asked for some clarity and confirmation and I recieved confirmation that I understood what I was being told.
However, I can't find any documentation to back that up. Can anyone confirm? Secondly can you link to supporting documentation?
Thanks for dealing with my very conceptual outline.
Ray