
Originally Posted by
DannyW
Thanks Tim, this sounded familiar, so i went back and re-read pages 184 - 191 of your book and it makes a bit more sense. I verified that "any" is not a destination in the APCL/URLF policy. If you could indulge a few follow-ups?
My AP/URL policy is pretty simple, only 15 rules - the 15th being any -> internet Block, and it has 134K hits (compared to 4M for an accept rule higher in the policy). In the fw policy, the browsing rule is pretty simple: locally_connected_networks -> "not-internal" http/https accept. And then in the APP/URL policy, i have a hierarchy of rules that use access roles, and categories, allows and blocks. My assumption for the drop rule having hits is it's people that don't belong to any browsing access role, trying to get out - and they shouldn't be able to. So, i assume if i remove the APP/URL cleanup rule 15, those users will still be blocked because they're not specifically allowed?
Bookmarks