Configure a default policy all denny,permit a network segment , after configuration all of network segment be denny

Publication Date:  2013-05-07 Views:  223 Downloads:  0
Issue Description
A office USG3000 v100r002 UTM project
Customer required permit some ip can used p2p software,games and stock,other ip be denied,configure a default policy all denny,configure permit a network segment is source ip address
flow-manager application-rule id 1 permit source-ip 10.39.182.0 26 stock
flow-manager application-rule id 2 deny stock
Alarm Information
none
Handling Process
In configuration permit some intranet segment is source address,and then configure a permit of some intranet segment is target ip address

flow-manager application-rule id 1 permit source-ip 10.39.182.0 26 stock
flow-manager application-rule id 2 deny stock
flow-manager application-rule id 3 permit destination-ip 10.39.182.0 26 stock

or configure a bigger network segment,use exactness preferential
flow-manager application-rule id 1 permit source-ip 10.39.182.0 26 game
flow-manager application-rule id 2 deny source-ip 10.39.0.0 16 game

in default situation,can not target address denny
Root Cause
After configuration,found all of network segment be denny,include all of segment in intranet and extranet,namely extranet can not sent data to intranet. so if user need to permit some intranet segment use these software,need to configure double direct,one is source address permit,another is target address permit 
Suggestions
In auto configuration,rule is default permit
two way of configuration
1 in rule configure source address,target address both are any denny,means all of network segment denny,at this time,need to configure double direct rule permit some host can use these software
2 rule default is permit,so configuration is base on source address rule,for extranet,target address rule no need to configure,default permit
2 is easier than 1,and use less rules

END