Temporary allowed connections
-
Where exactly in the watchguard when you create your policy for your rule is there a place to do this... I do not see anything like your talking about..
Your saying you can click on watchguard firewall log on something that was blocked and allow it for 15 minutes?
How and the F is that going to work when the nat has not even been setup on a port forward, etc. etc..
Still waiting for the screenshot or link to docs for watchguard that allows you do what your asking. Cuz such and option has really ZERO use case in the enterprise... Before something is allowed through a firewall there is change control that has to be done.. You can not just click on something to allow it for 15 minutes..
Your wanting to allow user outbound somewhere on port 443.. That would be done on the PROXY in the enterprise, not firewall.. Then sure users that are blocked by policy normally can just override with a password for X number of minutes, etc.
Such stuff is not done on a L3 firewall!
-
@KOM said in Temporary allowed connections:
I remember you now. You're the guy who I had to argue with over simple networking concepts.
"This is a simple thing"
Well then, code it up and submit the patch. After all, it's simple.
"that is much needed"
By whom? You? I don't recall anyone else asking for this in the five years I've been here.
"and extremely convenient."
If you needed such a feature. Most companies I've dealt with don't need holes punched in their firewalls on a regular basis.
This is not magic or rocket science dude. ANYONE using the Internet and has a firewall sometimes might need to connect to a possibly sketchy site. Like buying something from an unknown vendor or connecting to a new website that you're not sure is authentic or bogus etc. Why would you allow a PERMANENT connection you're not sure of ??
Seriously???
-
Again this not done on a firewall in the enterprise - that is done at the proxy!!
Are you running proxy on pfsense?
-
@johnpoz said in Temporary allowed connections:
Again this not done on a firewall in the enterprise - that is done at the proxy!!
Are you running proxy on pfsense?
No. And I'm blown away that you guys don't know about doing this.
Seriously dude.I'm wondering now if maybe you and kom have completely misunderstood me.
Did you see the picture I posted in the OP ?
-
Yeah see the picture... Sorry but that would never in a million years happen on an enterprise firewall!
There is no scenario where that would happen... Only the smallest of the smallest mom and pop shops would allow their firewall admin to just click shit to allow open without change control.. Or a ticket atleast, etc. etc.
But sure in the proxy where site gets blocked because its listed in wrong category, etc. you would correct the category... Or user might be able to allow shopping sites during their lunch break, etc..
I think you have a lack of understanding of how network and security controls work in the enterprise to be honest.. In the 10 some years I have been here - I do not recall anyone ever asking for such a thing either.
-
I don't think you're getting it. We understand the feature you're asking about. We're telling you that this is generally not required for an enterprise firewall but you refuse to accept it. And were not even sure what traffic you're talking about. You mention buying something online, so I assume you mean http/s? You want a rule to allow tcp80,443 access on a temporary basis?
-
@chpalmer said in Temporary allowed connections:
@HansSolo said in Temporary allowed connections:
You mean to tell me you, as a firewall expert, don't see the need for this? Seriously?
Very rarely if ever.. I would not spend a second of anyone else's time to design this into a product. It's to easy just to turn off the rule when its no longer needed.
Huh?
It's easier to go in and do three or four steps instead of ONE ? And then, remember to go back later and do three or four more?? Since when? -
Just called my Watchguard rep and he thinks that your incorrect. He is going to check though.
One big issue I see is that just because you end a rule in a stateful firewall does not mean your connection to that destination is going to cease. You need to look at your states in any questionable situation and kill the state if it remains open. So something "automagically" happening is bad practice.
-
Your Watchguard rep is incorrect.
Place your bets now.I'm being slowed down in responses to your questions due to 120 second rule. Can that get lifted please so I can answer?
-
Yeah let me click the temp allow user x to flood the board for 15 minutes button... Wait that is not there - what the F!!! Every other forum software on the planet has that ;)
I am betting on the rep ;)
-
@johnpoz said in Temporary allowed connections:
Yeah let me click the temp allow user x to flood the board for 15 minutes button... Wait that is not there - what the F!!! Every other forum software on the planet has that ;)
DON'T GET PASSIVE-AGGRESSIVE WITH ME DUDE !! lol
I thought it could be on a per user basis.
-
Seriously,
Not everyone who uses pfsense is in an Enterprise environment. I doubt most are.
I know that your revenue comes mostly from that tho so I can somewhat understand not including features that might not be needed outside an Enterprise enviro. -
Again in what world do you live in that such feature would make sense ;) Just like click on blocked rule.. But allow thing for 15 minutes thing has zero use in the enterprise... But watchguard has it?
I think maybe there is something to allow access via their proxy rules, not their firewall rules. You understand the watchguards do proxy as well as just L3 firewall rules.
-
@HansSolo said in Temporary allowed connections:
Your Watchguard rep is incorrect.
He has sold more firewalls than he can remember and this question has never come up. If it is there then nobody is talking to him about it. I asked him as if I was looking and he says "why?" LOL
-
@johnpoz said in Temporary allowed connections:
But watchguard has it?
I don't personally consider Watchguard enterprise grade myself.
-
sadly 120 sec it's the minimum to digest bullshit sorry but this time i can't stop laughing
-
Alright, this is getting stupid now. The feature doesn't exist in pfSense and he has the only workaround. The end.
-
@chpalmer very true... I have never seen it used in any enterprise we have ever supported..
In a mom and pop shop, you click the eazy rule... And then 15 min later or 1 hour later you delete the rule... How freaking hard is that?? I mean really?
-
@kiokoman said in Temporary allowed connections:
sadly 120 sec it's the minimum to digest bullshit sorry but this time i can't stop laughing
Are you saying it's normally incoming or outgoing ?
You only needed 10 seconds to share yours
-
@johnpoz said in Temporary allowed connections:
@chpalmer very true... I have never seen it used in any enterprise we have ever supported..
In a mom and pop shop, you click the eazy rule... And then 15 min later or 1 hour later you delete the rule... How freaking hard is that?? I mean really?
Suture yourself.
Some other software firewall (opensense) WILL include it and then they'll have just one more reason not to use pfsense.
Juuuuuuust sayin.Not everyone who uses pfsense in necessarily is an environment that pure enterprise. I got no dog in this fight. Just pointing something out. You guys are Sooooooo sensitive to suggestions. lol