I haven’t had luck finding this question asked or answered anywhere so I figured I might as well start here. I’m looking for a way of processing configuration matches in a single rule.
For example, lets say I have the below config:
set firewall group network-group BLOCKED_NETS network 'X.0.0.0/8'
set firewall group network-group BLOCKED_NETS network 'Y.0.0.0/8'
set firewall group network-group BLOCKED_NETS network 'Z.0.0.0/8'
set firewall group address-group ALLOWED_IPS address 'X.1.1.1'
set firewall name WAN_IN default-action drop
set firewall name WAN_IN rule 85 action accept
set firewall name WAN_IN rule 85 description Allow In IPs
set firewall name WAN_IN rule 85 source group address-group ALLOWED_IPS
set firewall name WAN_IN rule 90 action drop
set firewall name WAN_IN rule 90 description BAD_NETS
set firewall name WAN_IN rule 90 source group network-group BLOCKED_NETS
set firewall name WAN_IN rule 95 action accept
set firewall name WAN_IN rule 95 description 'Allow in to TCP/80 on ABCD'
set firewall name WAN_IN rule 95 destination address A.B.C.D
set firewall name WAN_IN rule 95 destination port 80
set firewall name WAN_IN rule 95 protocol tcp
The desired effect:
I want to allow access to TCP/80 on ABCD
I want to block a network group of multiple networks
I want to exempt an IP that is included in those multiple networks from being blocked. (X.1.1.1 is an IP within the greater X.0.0.0/8 network)
However while I accomplish the above mostly, the glaring issue is that now the single IP that I’m attempted to except from the block rule, now has unfettered access in to ABCD at any port instead of only on port 80.
Is there some way to accomplish something like:
set firewall name WAN_IN rule 90 action drop
set firewall name WAN_IN rule 90 description BAD_NETS
set firewall name WAN_IN rule 90 source 1 group network-group BLOCKED_NETS
set firewall name WAN_IN rule 90 source 2 group address-group !ALLOWED_IPS
Simply put block any IP in the BLOCKED_NETS networks unless that IP in in the ALLOWED_IPS group? That would allow the ALLOWED_IPS to not blocked without giving them a broad allow in. Any ideas?