|
In this case, it is necessary to check the 'direction' attribute of the Internet Service group and match it with the same attribute of the Internet Service:
- By default, the newly created internet-service-group is 'both':
config firewall internet-service-group
edit "1000"
show full
set direction both
end
- Direction can be changed:
config firewall internet-service-group
edit 1000
set direction ?
source As source when applied.
destination As destination when applied.
both Both directions when applied.
- Internet Services also have destination attributes:
diag internet-service id-summary 327681
Version: 00007.03429
...
Internet Service: 327681(Microsoft-Web)...
Direction: dst
Or:
diag internet-service id-summary 327903
Version: 00007.03429
...
Internet Service: 327903(Microsoft-Office365.Published.Allow)
Direction: both
Internet Services with directions 'both' can be added to groups with directions 'destination' and 'source'. For example, if the group direction is 'both', it is possible to add only Microsoft-Office365.Published.Allow ('both'), but not Microsoft-Web ('dst') to it. However, if changing the type to 'destination', it is possible to add both services.
This configuration can be done only from CLI.
|
