[USG Flex H] - Policy Control - Wrong Source/Destination Group

Maverick87
Maverick87 Posts: 33 image  Freshman Member
First Comment Friend Collector
edited October 7 in USG FLEX H Series

Hello everyone,
I have created an group object that contains other groups.

image.png

When I configure it as Source/Destination of a Policy Control, seems that is presented only one group of these (seems always the last group in the list).

image.png

Seems that is disappeared the "ALWAYSDenyWAN" group and in this case I don't know if is only a visual bug or really the "ALWAYSDenyWAN" group is not present (obviously I can check it from the log).

Thank you

All Replies

  • Maverick87
    Maverick87 Posts: 33 image  Freshman Member
    First Comment Friend Collector

    OK, I've checked the log and seems that both sub-groups hint the rule; so into the main group there are really two sub-groups but into the Policy Control view seems that only one group is reported (only the last in the list).

  • PeterUK
    PeterUK Posts: 4,097 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited October 7

    Yes just a display limitation really I don't like the idea of doing groups in a group.

  • Maverick87
    Maverick87 Posts: 33 image  Freshman Member
    First Comment Friend Collector

    You're right, but I have:
    - Some IoT devices that I need to connect to internet only for firmware upgrade (only few minutes per month) — DenyInternet;
    - Some other IoT devices that never reach internet — AlwaysDenyInternet

    So I define two rules:
    - One rule (deactivated by default) that cover only the DenyInternet group, in which I allow only certain IPs and Port (to permit the upgrade);
    - One rule that deny all traffic from the both groups — this rule is defined below the other rule.

    So, in this case:
    - When an DenyInternet device try to reach internet and keep the first rule enabled, enter on this only for defined destination IPs; if the IP isn't in the allowed destination, the connection is denied by the second rule;
    - When an AlwaysDenyInternet device try to connect to internet, is always denied because hint directly the second rule.

    And obviously both device types must reach internal devices and services

    If I don't use the groups in group, I need to define more than 2 rules; one for DenyInternet allow dest ip, one for deny others dest IP, one for deny AlwaysDenyInternet type.

    You can do this better?

    Thank you

  • PeterUK
    PeterUK Posts: 4,097 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    If that works for you I'm not going to say its wrong.