Help writing a flow redirect acl
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-14-2017 07:09 PM
What I am attempting to do is to push any outbound port 80 traffic (https too but not in this example) to the internet with a flow redirect command but skip if the traffic is local. So here's what I have so far: the ** are comments for the sake of this post. Does this make sense?
ACL
entry Allhttp {
if {
protocol tcp;
source-address 10.234.0.0/16;
destination-address 10.234.0.0/16;
source-port 80;
}
then {
Deny; ** in essence skip
}
** so if not the above do this.
if {
protocol tcp;
source-address 10.234.0.0/16;
source-port 80;
}
then {
redirect-name ToBluecoat;
count WebHTTP;
}
}
ACL
entry Allhttp {
if {
protocol tcp;
source-address 10.234.0.0/16;
destination-address 10.234.0.0/16;
source-port 80;
}
then {
Deny; ** in essence skip
}
** so if not the above do this.
if {
protocol tcp;
source-address 10.234.0.0/16;
source-port 80;
}
then {
redirect-name ToBluecoat;
count WebHTTP;
}
}
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-15-2017 10:07 PM
Perfect!! Thank you. I'll test it later this week.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-15-2017 04:04 AM
Hi Dave,
The rules which you have mentioned needs to be modified a bit.
Instead of "deny" using the "permit" action modifier will apply the normal forwarding logic.
All the below rules must be in same policy file.
Here is a sample.
entry HTTP_PACKETS_TO_10.234.0.0 {
If match all {
Protocol TCP;
destination-port 80;
source-address 10.234.0.0/16;
destination-address 10.234.0.0/16;
} then {
permit;
}
}
# same subnet but matching https traffic
entry HTTPS_PACKETS_TO_10.234.0.0 {
If match all {
Protocol TCP;
destination-port 443;
source-address 10.234.0.0/16;
destination-address 10.234.0.0/16;
} then {
permit;
}
}
entry HTTP_to_other_than_10.234.0.0/16 {
if match all {
protocol TCP ;
destination-port 80 ;
source-address 10.234.0.0/16 ;
}
then {
redirect-name ToBluecoat;
count WebHTTP;
}
}
entry HTTPS_to_other_than_10.234.0.0/16 {
if match all {
protocol TCP ;
destination-port 443 ;
source-address 10.234.0.0/16 ;
}
then {
redirect-name ToBluecoat;
count WebHTTPS;
}
}
Here is an article on how to configure flow redirect.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-flow-redirect
I hope this is helps!
The rules which you have mentioned needs to be modified a bit.
Instead of "deny" using the "permit" action modifier will apply the normal forwarding logic.
All the below rules must be in same policy file.
Here is a sample.
entry HTTP_PACKETS_TO_10.234.0.0 {
If match all {
Protocol TCP;
destination-port 80;
source-address 10.234.0.0/16;
destination-address 10.234.0.0/16;
} then {
permit;
}
}
# same subnet but matching https traffic
entry HTTPS_PACKETS_TO_10.234.0.0 {
If match all {
Protocol TCP;
destination-port 443;
source-address 10.234.0.0/16;
destination-address 10.234.0.0/16;
} then {
permit;
}
}
entry HTTP_to_other_than_10.234.0.0/16 {
if match all {
protocol TCP ;
destination-port 80 ;
source-address 10.234.0.0/16 ;
}
then {
redirect-name ToBluecoat;
count WebHTTP;
}
}
entry HTTPS_to_other_than_10.234.0.0/16 {
if match all {
protocol TCP ;
destination-port 443 ;
source-address 10.234.0.0/16 ;
}
then {
redirect-name ToBluecoat;
count WebHTTPS;
}
}
Here is an article on how to configure flow redirect.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-flow-redirect
I hope this is helps!
