Manage Rules

Follow

Comments

13 comments

  • Avatar
    Manny Cavalier

    Is the RED's rules only limited to 999?

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    UPDATE:

    See firewalla's update on this below. 

    I believe that people should be aware that because domains are IP based, they should not assume that, "company.com" will cover, "support.company.com". If they want to block (or allow) that they must specify the subdomain they are targeting. 

    The tutorial would be better if there were more detail like this. 

    0
    Comment actions Permalink
  • Avatar
    Dave Stevenson

    Are there any plans to support URL based rules? I'd like to allow access to certain domains but restrict certain paths within those domains, e.g. allow everything from foo.com except foo.com/register, foo.com/user, foo.com/forum, etc. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    URL rules are not possible without unwrapping https sessions.  This is something at the moment, we don't want to mess with us.   Doing anything with https is to break end to end trust, and that is something philosophically is bad. 

    0
    Comment actions Permalink
  • Avatar
    Dave Stevenson

    Ah, understood. Good policy!

    0
    Comment actions Permalink
  • Avatar
    FF

    is there a way to combine rules filters in a single rule(as opposed to layered)?

     

    for instance:

    • on device 1 block all ports 12-23 except 13? 
    • on device 2 allow all ports 12-23 except 13? 
    • or block port 22 if target region in not US?
    • etc....
    1
    Comment actions Permalink
  • Avatar
    Brian Shimkus

    Not sure if I missed how to do this, but is there an ability to do wildcard allowing?  Such as allow "*.google.com" to catch all Google Classroom URLs?

     

    bks

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @brian I think domains are io based right now and there is no wildcard support. I would really like to have that! Nest devices have really long sub domains that look like they could change without notice. 

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Brian, @Michael,

     

    1. Domain blocking now use both ip-based and dns-based blocking. You can change to domain-based only in Rule UI.

    2. the allow and block priority is a little complicated when taking scope (device, group, network, global) and sub domain (*.google.com) into consideration.

     

        first priority: scope (device > group > network > global)

        second priority: sub domain (longest domain suffix takes priority, e.g. www.google.com > *.google.com)

        third priority: allow > block

     

    We are trying to simplify this in the app so that you don't have to worry about this in the most of time. (appreciate any feedback/idea on this)

     

    So:

    - if you don't specify blocking a specific google.com domain, allowing "*.google.com" should work.

    - when you block a category (such as video), it equals to blocking each specific video site, such as xyz.googlevideo.com. and allowing "*.googlevideo.com" won't work, because xyz.googlevideo.com takes priority.

     

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Thanks @Firewalla. So are:

    google.com = *.google.com ? Or does google.com only refer to the second-level domain name? 

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I notice that rules applied to all devices don't show up when you look at the rules for a device. I would advocate that all rules that affect a device should be shown or this is a recipe for customers to be confused which could cause support issues. 


    0
    Comment actions Permalink
  • Avatar
    Brian Shimkus

    I have the same question as Michael.

    The app shows google.com if I input *.google.com as the domain I want to allow.

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Brian, I noticed that too. Hopefully that means the second level domain includes all subdomains. I’d love to hear @firewalla confirm though. 

    0
    Comment actions Permalink

Please sign in to leave a comment.