If you don't want a vlan to communicate with another VLAN on a site, is it best practice to put the firewall rule in the site firewall or within a group policy and apply that policy on the vlan?
I would use the rules on the Firewall-page of the MX. These rule work statefully any return-traffic is automatically allowed. Just remember to also configure your VPN-rules if a VLAN should also be not allowed to communicate through the VPN.
I would use the rules on the Firewall-page of the MX. These rule work statefully any return-traffic is automatically allowed. Just remember to also configure your VPN-rules if a VLAN should also be not allowed to communicate through the VPN.
Also get a second person to try and "break" or "Bypass" what you have done so that you get confirmation that what you want to achieve is actually happening. A second pair of eyes is always very useful with this kind of thing.
