vSRX
vSRX

vSRX doesnt hit second rule

‎11-06-2019 03:08 AM

Hi everybody,

 

I write 2 rule at vSRX from trust to untrust, but these are diffenrent rules. one is block facebook, the other one is permit youtube for special IP. When FW matches first rule, it doesnt care any other rule but when it doesnt matches first rule, it hits second rule.

 

How can i set up for check rules one by one?

6 REPLIES 6
Highlighted
vSRX

Re: vSRX doesnt hit second rule

‎11-06-2019 03:26 AM

Hi,

 

That is the way policy lookup is designed.

I am curious - why would you need one flow to match both Facebook and Youtube?

 

Also, if the second rule is more specific than the first rule, then place the second rule on top of first one. That way, more specific traffic will be allowed by rule-2 and others will be blocked by rule-1.

Regards,
Gokul
Highlighted
vSRX

Re: vSRX doesnt hit second rule

‎11-06-2019 04:19 AM

First of all, thanks for reply

 

For example, i am a CEO at my company, and i want to block youtube to my employees, but i want to enter youtube on my PC. on the other hand i want to block facebook for all PC includes mine.

 

how can i do this scenario?

 

And also, when i change rules position, there is nothing change, the same problem occur again. the first rule is work, but second one is not.

Highlighted
vSRX

Re: vSRX doesnt hit second rule

‎11-06-2019 04:30 AM

You are Welcome! 🙂

 

OK, your requirement looks  clear now. I would go with 2 policies.

 

Topmost -> CEO IP to Youtube, permit

Next -> All IPs to Youtube or facebook block

 

Also, filtering FB, Youtube etc., via IP addresses is not practical. You may want to explore the Web Filtering feature.

Regards,
Gokul
Highlighted
vSRX

Re: vSRX doesnt hit second rule

‎11-06-2019 06:24 AM

i will try your advice, but my main problem is not doing that. My main problem is i reach facebook when i permit youtube to CEO IP. İt's look like that;

 

topmost -> block youtube except CEO IP (i do it with exclude address)

next -> block facebook all company

next -> default-permit rule

 

when i do that like that, CEO can reach facebook. This is what i dont understand how CEO can reach facebook. 

 

By the way, i used always web filtering like you say

Highlighted
vSRX

Re: vSRX doesnt hit second rule

‎11-10-2019 11:10 PM

it didnt work at my vSRX at ESXi, but at another device in sam ESXi, it worked. and also, i didnt understand why 😄

Highlighted
vSRX

Re: vSRX doesnt hit second rule

‎12-28-2019 01:57 PM

Interesting that the same configuration works on one instance and not other. I would suggest you to look at the "flow traceoptions" of the both flows on both vSRXs . 

 

A comparision would reveal the mystery.

 

Thanks!

Feedback