LOG Action for excluded IPs in DROP Policy

[nlffel439]

Hi folks,

I am currently working on a responder policy that triggers a “DROP”. Except for the countries that are defined by “.NOT” 

Example:

Now I would also like to attach a message action, but not for the requests that are dropped, but for those that are allowed.

Putting the message action directly into the responder policy is useless here, as it only takes effect when a DROP is triggered.

Now the question is, what is the best way to log when one of the IPs excluded from the DROP makes a call?

 

[Rick Davis]

You can use two policies on the same traffic using Goto Expressions.   Your first policy can conduct the logging (using a goto expression of NEXT) and the second policy will perform the Drop.   In this case, the order matters because a Drop action requires an END Goto expression.   
Be sure to remove your .NOT from the first policy since you want to log traffic which you intend to allow.

example:

 

Reference: Evaluation order within a policy bank

 

[nlffel439]

Thank you for the quick reply. :) 

I just realized now that the NOOP policy does not apply if there is more than one exception in it 

Example 

CLIENT.IP.SRC.MATCHES_LOCATION(\“*.US.*.*.*.*\”) && CLIENT.IP.SRC.MATCHES_LOCATION(\“*.GB.*.*.*.*\”)

Have I just made a mistake in my thinking?

[nlffel439]

Oh I think I just realized it myself I put && instead of || in the policy 

 

Example

 

CLIENT.IP.SRC.MATCHES_LOCATION(\“*.US.*.*.*.*\”) || CLIENT.IP.SRC.MATCHES_LOCATION(\“*.GB.*.*.*.*\”)

 

Edited April 24 by nlffel439