This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAC Service Rule

NAC Service Rule

Ronny_Engelhard
New Contributor II

‎06-10-2015 10:51 AM

Hi together,

one quick question.
I want to deny traffic for a specific Role in Policy Manager.
So the aim is that traffic from that Role is denied if the Destination is for example
the subnet 192.168.1.0/24 with Port 22 (SSH).
I have tried to forbid this traffic with IP TCP Port Destination but it doesn't work for a subnet and also if i will insert a single host.
Only IP Socket Destination denied that traffic for a single host but it was not possible to insert a complete subnet in this application mask.
So where is my fault?
Is it possible to deny such traffic for a complete destination subnet.
I don't understand also the difference between IP Socket Destination and IP TCP Port Destination.

Greetings Ronny
0 Kudos
5 REPLIES 5

Andre_K_
New Contributor

‎06-10-2015 01:02 PM

Hi Ronny,

easy question first: The Difference between "IP Socket Destination" and "IP TCP Port Destination" is that the first will match on both UDP and TCP, while "IP TCP/UDP Port Destination" only match their respective protocol.

As to your actual problem, I don't think building such a rule is possible. It seems like there is some kind of technical limitation as to how complex these policy rules can become.

If your clients are not residing in the same subnet as the SSH servers (192.168.1.0 in your example), I guess the easiest workaround would be to block those SSH connections with an ACL on their gateway.
0 Kudos
GTM-P2G8KFN