I am trying to understand what is meant in the manual and in the interface by assigning firewall rules to a port vs an interface/interface pair. I understand "Pre" and "Post" fine but what is the difference between assigning a policy to the interface with the "/Port" suffix and assigning it to just the interface? Circled below is an example of what I am asking about.
Thanks in advance
So the reason I think that there is still a "port" option is because when assigning the policy there the Interfaces/Sub-Interfaces inherit it. Where as just assigning the policy to the "port-pair" does not do the same thing.
This is definitely something that I would bug support about to get cleared up/confirmed.
Sorry meant to put an example in;
High level example:
10/AB has 2 sub interfaces, all interfaces see traffic over port 80 and you would like this to be blocked but only for those ports not the entire device.
Assigning the policy at the "port" level for 10/AB will ensure that all sub interfaces inherit this. Where as assigning the policy at the interface level would require you to also assign at sub interface because policies assigned to Interface (port-pair) are not inherited by sub interfaces.
I hope I am making sense.
Yes, all this makes sense. Do you think it would be helpful to temporarily create sub-interfaces to see how that would change the options available?
BTW working with all NS series sensors on this one, but I don't think that is a factor but could be wrong.