Hello,
My company has recently acquired a SSG5 device.We have a small network where some user/PCs (bosses) need full access to the Internet while others should only have restricted access (employees).
After reading a lot in the documentation, I didn't succeed to achieve this.
I read in this forum that it was not possible to define MAC address based policies and looked for another solution.
I neither didn't find a way to define policies based on IP pools in the same subnet (ex: bosses' pcs would go from 192.168.1.2 to 192.168.1.10 and employees' PCs from 192.168.1.100 to 192.168.1.120)
Without still knowing if it is the best alternative, I did the following:
1° creation of two security zones: one for the bosses and another for the employees. They are on two different subnets: 192.168.1.0/24 and 192.168.2.0/24. I would have wanted the same subnet to allow traffic between PCs via the switch (only) and bypass the firewall, but is apparently not possible.
2° binding of ethernet port 0/2 and 0/3 to interface bgroup0 and ethernet port 0/4, 0/5 and 0/6 to interface bgroup1
3° assigning bgroup0 interface to boss security zone and bgroup1 to employee security zone
4° creation of the following policies: boss to employee:full access / employee to boss:full access / boss to untrust: full access /employee to untrust: limited access (based on services and service groups selection)
I cannot get internet access for (at least) the boss "group"
When I assign back the bgroup0 interface to the trust security zone, I have again Internet access.
What is missing in my config ?
Is it the best way to achieve the seeked goal ?
Thank you in advance for your help.
Regards,
David