Is it possible to create FQDN‑/IP-/Country based objects or groups, and assign these to a firewall rule for easier and more flexible policy management?
e.g. to restrict the WAN access to the configured groups / ports to limit the access as needed for the source devices.
thx forward
Andy
If I’m understanding this correctly, there are a couple ways you can do this.
You can create a Network List (Settings > Overview > Network List) that contains the IP’s or subnets of the devices you wish to restrict (you’ll want the clients to have static or reserved IP’s). Then in the zone firewall, you can create your rules in the appropriate source zone and limit them to the Network List.
Or, you you can create an Object Group (Settings > Policy Engine > Objects) and select the clients you want included (or create a client group if you plan on having multiple polices on the same clients). Then under Secure, you can allow/block them from accessing specific apps/services, IP’s, regions, and/or domains. (Note that for domain blocking, your devices must be using the UDM for DNS).
I prefer the latter method for managing individual clients myself. Especially when they live on different networks and FW zones. This is especially true if the clients don’t have static/reserved IP’s or they periodically switch between networks for whatever reason. I find it easier to manage.
I have set up my current firewall based on IP, FQDN and country groups so that groups can be assigned to the corresponding VLANs/rules based on the destination networks or services. This way, if changes are made, I only need to update the group object once, and the change will apply to all rule sets that include that group. So my question is whether this is also possible on a UDM Pro.
e.g. my IoT vLAN need an other level of security than my business client network or shared vLAN. I’ve not found any handbook of the UDM to check/read this.
thx for your quick reply