Hi Rob

So are you meaning a rule in the mandatory section ??

Thanks

Hi@benolyndav No, it doesn't necessarily matter.

Hi Rob

Not sure I understand we have 7 sub-interfaces so where would I apply an acl to cover all of these interfaces ??

Thanks

Hi @benolyndav 

When you create an ACP rule you can define source/destination networks and source/destination zones. The interfaces are usually assigned to a zone. What I was suggested was, you could not define the zones, which would mean "any" zone would be permitted. Therefore you control the traffic in that ACP rule by defining the source networks, which could be any of your sub-interface networks.

Hi Rob

That dosent work

so I just picked a interface and created the ACP rule and didnt define zones but used a subnet from another interface and its allowed to the destination I was trying to block,? any suggestions

Result:

input-interface: INSIDE_FRH

input-status: up

input-line-status: up

output-interface: INTERNET

output-status: up

output-line-status: up

Action: allow

@benolyndav 

The rule order is obviously important, if you've a rule above the block rule you create that permits traffic then it would be allowed.

Can you provide the full output of packet-tracer? And a screenshot of the ACP rule?

Hi Rob

Ill get that info to you and appreciated as always, I have a funny feeling about some of these url objects I'm sure they are allowing anything, have you seen anything like this.??

Thanks

@benolyndav 

I wasn't expacting for you to be using URL objects, best I see the screenshot of the rules.

It could be you've another rule that permits http/https that is permits the traffic.