Help writing a flow redirect acl

  • 0
  • 2
  • Question
  • Updated 10 months ago
  • Answered
What I am attempting to do is to push any outbound port 80 traffic (https too but not in this example) to the internet with a flow redirect command but skip if the traffic is local.  So here's what I have so far:   the ** are comments for the sake of this post.  Does this make sense?

ACL

entry Allhttp {
if {
    protocol tcp; 
    source-address 10.234.0.0/16;
    destination-address 10.234.0.0/16;  
    source-port 80;
}
then { 
      Deny;     ** in essence skip
}

** so if not the above do this.

if {
    protocol tcp; 
    source-address 10.234.0.0/16;
    source-port 80;
}
then {

    redirect-name ToBluecoat; 
    count WebHTTP;
}
}
Photo of Dave Bogdan

Dave Bogdan

  • 90 Points 75 badge 2x thumb

Posted 10 months ago

  • 0
  • 2
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 5,510 Points 5k badge 2x thumb
Hi Dave,

The rules which you have mentioned needs to be modified a bit. 

Instead of "deny" using the "permit" action modifier will apply the normal forwarding logic.

All the below rules must be in same policy file.


Here is a sample.
entry HTTP_PACKETS_TO_10.234.0.0 {
If match all {
Protocol TCP;
destination-port 80;
source-address 10.234.0.0/16;
destination-address 10.234.0.0/16;
} then {
permit;
}
}

# same subnet but matching https traffic
entry HTTPS_PACKETS_TO_10.234.0.0 {
If match all {
Protocol TCP;
destination-port 443;
source-address 10.234.0.0/16;
destination-address 10.234.0.0/16;
} then {
permit;
}
}

entry HTTP_to_other_than_10.234.0.0/16 {
if match all {
    protocol TCP ;
    destination-port 80 ;
    source-address 10.234.0.0/16 ;
}
then {
    redirect-name ToBluecoat;  
    count WebHTTP;
}
}

entry HTTPS_to_other_than_10.234.0.0/16  {
if match all {
    protocol TCP ;
    destination-port 443 ;
    source-address 10.234.0.0/16 ;
}
then {
    redirect-name ToBluecoat;  
    count WebHTTPS;
}
}


Here is an article on how to configure flow redirect.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-flow-redirect

I hope this is helps!
Photo of Dave Bogdan

Dave Bogdan

  • 90 Points 75 badge 2x thumb
Perfect!! Thank you. I'll test it later this week.