Hot!User is a member of Multiple Groups

Author
mwkirk
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/02 06:10:12
  • Status: offline
2017/05/02 14:14:24 (permalink)
0

User is a member of Multiple Groups

So.... 
 
Two FSSO groups General Users and Social Medial.  I have two identical Firewall Policies except that one has a filter profile that references the General users and the General Filtering Policy.  The other references the Social Media group and policy....
 
So...The way it works is that once it gets a User Group match then it processes that policy. It's a firewall and that's the way it works....  So, basically the policies need to be arranged from least restrictive to most restrictive. You can only really support a single match.
 
The only question I have is I thought there was a concept called Fall-through rules or something like that introduced in 5.2 which could support multiple group matches.  Is that something that does exist and/or my expectations of what it actually does are incorrect?
#1

2 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 4828
    • Scores: 294
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: User is a member of Multiple Groups 2017/05/02 19:23:36 (permalink)
    0
    I really never seen fall-thru but have you ran diag debug flow  and follow the policy execution & selection
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #2
    EshChad
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/12/19 06:20:55
    • Status: offline
    Re: User is a member of Multiple Groups 2017/12/21 07:13:57 (permalink)
    0
    mwkirk
    So.... 
     
    Two FSSO groups General Users and Social Medial.  I have two identical Firewall Policies except that one has a filter profile that references the General users and the General Filtering Policy.  The other references the Social Media group and policy....
     
    So...The way it works is that once it gets a User Group match then it processes that policy. It's a firewall and that's the way it works....  So, basically the policies need to be arranged from least restrictive to most restrictive. You can only really support a single match.
     
    The only question I have is I thought there was a concept called Fall-through rules or something like that introduced in 5.2 which could support multiple group matches.  Is that something that does exist and/or my expectations of what it actually does are incorrect?


    Did you ever manage to find out what happens with a user with multiple groups? I'm in the same boat.
    #3
    Jump to:
    © 2018 APG vNext Commercial Version 5.5