FAQ: can set the user access policy in SVN3000, but sometimes will meet the policy collision. When the policy is collision, which policy will become effective in the SVN3000?
SVN3000 configure policy including the user policy, group policy, when the user login virtual gateway, effective policy including the user group policy and user policy at the same time, SVN3000 to this user policy, all need to deal with and sort together.
1, to the matched policy, the policy priority which matched precision high (long mask length) is higher than the policy matched precision low. It divided into 4 kinds of circumstances, its policy priority from high to low is as follows:
A, specific IP + port such as 21 port of 10.27.65.253/32
B, IP address segment + ports such as 21 port of 10.27.65.253/24
C, all specific IP ports such as all 10.27.65.253/32 ports
D, all ports of IP address segment such as all 10.27.65.0/24 ports
When policy conflict, the policy with high priority will become effective.
Example: a policy allows access to the destination address 10.1.1.0/24 80 port (the level is B), and the other policy forbid to access the destination address 10.1.1.1/32 computer (this level is C), whether can access 10.1.1.1/32 80 port?
First analysis policy level, policy B priority is higher, the policy become effective, namely can access 10.1.1.1/32 80 port.
2, if two policy configuration precision is consistent, and have the same destination IP, but one permit, another forbid, the policy opposite to default configuration effect.
Example: a policy permit to access the destination address 10.1.1.0/24 23 port, and the other forbid to access the destination address 10.1.1.0/24 23 port, the policy default behavior is "permit", whether can access 10.1.1.0/24 23 port?
two policy configuration precision is consistent, the policy opposite to “permit” configuration effect, namely probed to access 10.1.1.0/24 23 port.
SVN3000 access control policy and firewall ACL rule is a different, SVN3000 PORT is preferred, firewall ACL IP is preferred.
According to the address and port of different situation used in the SVN3000 configuration policy, concluded to four categories, we need to know the priority of each policy