cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Firewall rule Assignment - Interface vs Port

All,

I am trying to understand what is meant in the manual and in the interface by assigning firewall rules to a port vs an interface/interface pair. I understand "Pre" and "Post" fine but what is the difference between assigning a policy to the interface with the "/Port" suffix and assigning it to just the interface? Circled below is an example of what I am asking about.

FWRuleAssignment.jpg

Thanks in advance

5 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Firewall rule Assignment - Interface vs Port

Hi jvdavis,

I'm not 100% on this but I think this only matters if you have created sub-interfaces on your sensor.

Applying the policy to the port will apply it to all interfaces and sub-interfaces.

Applying it to the interface will not apply it to the sub-interfaces.

​ do you know how this works?

Peter

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

Re: Firewall rule Assignment - Interface vs Port

So the reason I think that there is still a "port" option is because when assigning the policy there the Interfaces/Sub-Interfaces inherit it. Where as just assigning the policy to the "port-pair" does not do the same thing.

This is definitely something that I would bug support about to get cleared up/confirmed.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Firewall rule Assignment - Interface vs Port

Sorry meant to put an example in;

High level example:

10/AB has 2 sub interfaces, all interfaces see traffic over port 80 and you would like this to be blocked but only for those ports not the entire device.

Assigning the policy at the "port" level for 10/AB will ensure that all sub interfaces inherit this. Where as assigning the policy at the interface level would require you to also assign at sub interface because policies assigned to Interface (port-pair) are not inherited by sub interfaces.

I hope I am making sense.

Highlighted

Re: Firewall rule Assignment - Interface vs Port

Yes, all this makes sense. Do you think it would be helpful to temporarily create sub-interfaces to see how that would change the options available?

BTW working with all NS series sensors on this one, but I don't think that is a factor but could be wrong.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: Firewall rule Assignment - Interface vs Port

jvdavis,

I think that would help clear things up a bit for anyone else that may find this topic in the future.

Regards,

Matthew

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community