@Nash: exactly, thank you! In a nutshell, the setup looks like this: 1) Clients from 192.168.10.0/24 will access servers within the DMZ (192.168.100.0/24) 2) Global ruleset looks like this: allow TCP 192.168.10.0/24 any to 192.168.100.0/24 22,80,443 3) Group Policy bound to the DMZ VLAN permits everything except RFC1918 networks Accessing the DMZ servers, I see everything going through to the server. The MX will block the returning packets from the server to the client. That‘s what I would expect a stateful firewall not to do. Only if I add allow rules back from server to client in the Group Policy (where of course no destination port can be configured because of the random client source port) I‘m able to make communication happening. What‘s the use of Group Policies then when you have to reflect access in both places? Especially if you can‘t clearly define the rule „backwards“? Guess I‘m just using the MX platform „wrongly“ or am expecting it to do more than it‘s able to deliver. Just would like to understand if my approach is simply too stupid or if I‘m getting things completely wrong. From what I can see, flows are not being handled in a stateful manner though. Perhaps I made my point clear enough now, really hope to be enlightened. :)
... View more
