Can someone clarify why there are so many limitations in designing L3 Firewall policies for group policies? We primarily use this to limit access for VPN clients connected via Secure Client on the MX, to be able to design different access policies based on which AD group a user is a member of (by RADIUS Filter-ID). However, creating the policy rules is extremely limited in functionality:
- A policy protocol definition can only be TCP, UDP, ICMP or Any. A combination (e.g. both TCP and UDP) is not possible. When selecting 'Any' as protocol specification, you can no longer specify the port. For example, creating a rule to allow TCP and UDP communication over port 53 requires 2 separate rules.
- A policy destination can only be expressed either as a single IP address or as a specific prefix. You can't combine (e.g. in a comma-separated list) multiple addresses or prefixes. Any combination of IP addresses require separate rules.
- The port can only be expressed as a single port, one specific port range or as 'any'. A comma-separated list is not possible, meaning when you'd like to combine multiple ports, this requires separate rules.
Currently our only viable solution is to construct the Group Policy L3 firewall policies by using the API, just to be able to simplify/automate a small portion of this task, but it's still not ideal. How does everybody configure these firewall rules? Is it such a complicated task to enhance the functionality of the policy editor to further simplify rule creation?
