No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configure a default policy all denny,permit a network segment , after configuration all of network segment be denny

Publication Date:  2013-05-07 Views:  835 Downloads:  0

Issue Description

A office USG3000 v100r002 UTM project
Customer required permit some ip can used p2p software,games and stock,other ip be denied,configure a default policy all denny,configure permit a network segment is source ip address
flow-manager application-rule id 1 permit source-ip 10.39.182.0 26 stock
flow-manager application-rule id 2 deny stock

Alarm Information

none

Handling Process

In configuration permit some intranet segment is source address,and then configure a permit of some intranet segment is target ip address

flow-manager application-rule id 1 permit source-ip 10.39.182.0 26 stock
flow-manager application-rule id 2 deny stock
flow-manager application-rule id 3 permit destination-ip 10.39.182.0 26 stock

or configure a bigger network segment,use exactness preferential
flow-manager application-rule id 1 permit source-ip 10.39.182.0 26 game
flow-manager application-rule id 2 deny source-ip 10.39.0.0 16 game

in default situation,can not target address denny

Root Cause

After configuration,found all of network segment be denny,include all of segment in intranet and extranet,namely extranet can not sent data to intranet. so if user need to permit some intranet segment use these software,need to configure double direct,one is source address permit,another is target address permit 

Suggestions

In auto configuration,rule is default permit
two way of configuration
1 in rule configure source address,target address both are any denny,means all of network segment denny,at this time,need to configure double direct rule permit some host can use these software
2 rule default is permit,so configuration is base on source address rule,for extranet,target address rule no need to configure,default permit
2 is easier than 1,and use less rules

END