Return
-
Title
Access Control List (ACL) Examples -
Description
Access Control Lists (ACLs) are a fundamental aspect of network security and play a crucial role in controlling access to network resources. An ACL is a set of rules that define what IP addresses are permitted or denied to access the SMA. ACLs are commonly used in routers, switches, firewalls, and other networking devices to enforce security policies at the network level. -
Cause
The main challenge for network administrators is configuring ACLs correctly to ensure that only authorized traffic is allowed while blocking unauthorized or potentially harmful traffic. Misconfigured ACLs can lead to security vulnerabilities, performance issues, and unintended consequences such as blocking legitimate traffic. -
Resolution
At any moment, if ACL is misconfigured and locks the administrators out, it can be disabled via netdiag with remove_acl. More details here.
The first option, "Allow all IP addresses in the same subnet as the appliance" will allow devices on the same subnet of the SMA, which would be with the IP setup on Network Settings. If any Proxy/VPN/Load Balancer is used, this may limit the ability of the SMA to detect that the device is on the same network and work intermittently or not work at all.
On the Allow List section, Network addresses are meant to be used, not individual IPs, although they can still be used, provided the Subnet Mask or CIDR reflect that it's meant for that host only (255.255.255.255 or 32).
"Range" notation should NEVER be used and could possibly break the ACL.
BAD examples:- 10.0.0.1-254
- 10.0.0.1-10.0.0.254
- 10.0.0
- 10.0.0.
Below are some examples of which type of syntax can be used.
Good examples:IP Address Subnet Mas/CIDR/Prefix Lenght IPs that will actually be allowed 192.168.0.0 24 192.168.0.1 to 192.168.0.254 192.168.0.0 255.255.255.0 192.168.0.1 to 192.168.0.254 192.168.0.0 255.255.0.0 192.168.0.1 to 192.168.255.254 192.168.1.50 255.255.255.255 192.168.1.50 only
Reference sites:
IP Address, CIDR, and Subnetting.
IP Subnet Calculator