Firewall Rules Don't Apply to VLAN Interface

Question

I have a guest WiFi network running on VLAN40. I'm trying to create firewall rules for this network but when I select the VLAN interface (#Port8.40) in Source networks and devices, it has no effect at all. I can define the network subnet here instead and that works but I want to apply rules to the VLAN interface regardless of IP/subnet. The rule is positioned at the top. I would expect to be able to target all traffic on VLAN interface #Port8.40 with this. What am I missing?

This thread was automatically locked due to age.

Wayne Folta · Accepted Answer

I place my VLAN(s) in a Zone that should be treated alike and use Source Zone instead. I don't think #Port8.40 is correct. (At least VLANs on my firewall don't create such a thing. 
 Looks like you posted just as I did. Zones, of course, let you have multiple VLANs and other stuff in them so you can treat them as a unified thing. So you might have three guest VLANs (for some reason) that you want to treat as one source or destination for purposes of Firewall rules. (And it also makes things easier for you if you switch Port8 for Port6 for some reason. Just update the Zone membership and the Firewall rule just continues to work without modification.) I prefer Zones whenever that's an option. 
 I'm also using Clientless Users for various things, but I think that's mainly because XG doesn't give you host names and so it's hard to figure who is who in some displays and it's easier to just look at Live Connections by (clientless) user. There may be downsides to that, and it takes more steps (rather than the fewer steps that Zones do) to make it all work. I do wish Sophos would do a naming-unification pass that lets me set one machine with a name and potentially other information (MAC, IP, clientless user, etc).

Firewall Rules Don't Apply to VLAN Interface

Top Replies