SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

Negate

It just does a reverse of what it would be normally.

you create a rule that allows

src = DMZ net
dst = Internal Network (Negate)
srv = http
action = Allow

This permits the DMZ to HTTP to the Internet what having to define 2 rules.

One that would BOCK DMZ to HTTP to the Internal Network and the other to PERMIT DMZ to HTTP to ANY.

It is quite common to see a group defined that contains all of the internal and dmz networks and then negate that group in the destination column to allow internet access.

This therefore allows access to anywhere but the networks group.

The negate can also be on the service:

src = DMZ net
dst = Internal Network (Negate)
srv = Negate DNS, Ping Telnet
action = Allow

This allows DMZ to do any service except ping and dns queries anywhere except to internal networks

Can't explain any simpler then this

2 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    ximianximian shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • ximianximian commented  ·   ·  Flag as inappropriate

        DARN can't edit! Obviously I meant to say :

        This permits the DMZ to HTTP to the Internet without having to define 2 rules

      Feedback and Knowledge Base

      icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.