Re: Opinion: Worst interface ever.

["Dave Piscitello" <dave () corecom com>]

T

On 5 Jul 2005 at 9:25, Marcus J. Ranum wrote:

> Paul D. Robertson wrote:
> > The new Watchguard software "automatically" decides ruleset


This is not correct. If you CHOOSE, the policy manager will order the 
ruleset for you. Manual mode is available in the details view. Right-
click any policy and you can switch to manual mode and move policies 
in whatever order you wish

> > evaluation order, there's no easy way that I can find to figure
> > out what order something's going to be evaluated in.

I don't understand this comment. The help page explains exactly how 
the policies are ordered, precedence actions, etc. 

"Fireware Policy Manager automatically sorts policies from the most 
detailed to the most general. Each time you add a policy, Policy 
Manager compares the new rule with all the rules in your 
configuration file. To set the precedence, Policy Manager uses these 
criteria:

   1. Protocols set for the policy type
   2. Traffic rules of the To field
   3. Traffic rules of the From field
   4. Firewall action
   5. Schedule
   6. Alphanumeric sequence based on policy type
   7. Alphanumeric sequence based on policy name...

<additional details not cut-pasted>

> When I suggested that they optimize the "deny all" default deny to the
> top of the sequence, because then it'd really scream - it took him a
> couple of seconds to laugh.

This is the policy order I have on my kids' subnet;-)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards