I'm trying to streamline and organize my firewall rules a bit more and I noticed that when creating a Layer 3 rule, I can put multiple CIDRs and IP Addresses separated by commas. I was going to allow traffic in and out to a specific device, but I assumed I'd have to make a rule for each direction. This is how I've usually done it when allowing traffic for both directions:
Is it possible to make 1 rule and allow traffic in and out by separating by comma? Is this good practice? Like this?
NOTE: I'm blocking all other traffic on this subnet, I just want to allow access to this one device. I'll probably break it apart by port if this actually is ideal.
Also, are there other keywords I can use in these SOURCE and DESTINATION (like ANY)? Such as WAN or LAN? Or just use the gateway address maybe?
Thank you
Regardless of if you can, I don't think you should.
Mirror rules are clear: X is allowed/denied to Y. Y is allowed/denied to X.
Each line shows one relationship.
I would rather read more, clearer lines.
You could „Make a wish“ on the firewall configuration page for Firewall Objects. Maybe this will help speed up this and will bring new potential to firewall configuration on MX.
Excellent point. Thanks!
I tend to create a group policy for each VLAN I want to restrict and put the firewall rules in there. I find it much easier when there are a lot of rules. The rules in this case only limit traffic from the VLAN towards the MX.