How to block internet except one address (or IP) without using web filtering

d3xmeister1 · ‎03-22-2025

Hi, the title says it al, how to block internet except one (or two) address (or IP) without using web filtering. We don't want to make a rule to enable internet then filter, that's something our auditor does not allow, so we have to make a rule that denies internet, then add exceptions.

I tried to make a firewall policy from the Internet interface to the VLAN we want to block for internet, but then if duplicate the same rule but this time add one previously created FQDN address to allow, it does not work, all internet is still blocked

Toshi_Esumi · ‎03-22-2025

Opppsite. You want to set exceptions first from the VLAN to the internet interface, then block "ALL" to "ALL" for the same interface pair for the same direction.

Toshi

View solution in original post

Toshi_Esumi · ‎03-22-2025

Opppsite. You want to set exceptions first from the VLAN to the internet interface, then block "ALL" to "ALL" for the same interface pair for the same direction.

Toshi

d3xmeister1 · ‎03-22-2025

So what I was doing wrong was to create a block rule from the VLAN interface to that X1 Internet interface, then try to make exceptions.

This is because without a rule from the VLAN to the X1, internet won't work anyway, so all I need is to create the exceptions.

Correct ?

Toshi_Esumi · ‎03-22-2025

Yes. You're right. You just need to create the policy in-to-out to allow only traffic you want to allow. Denying the rest is done by "implicit deny" policy 0.

Toshi

d3xmeister1 · ‎03-23-2025

So this is a typical case of not seeing the forest from the trees. Thank you, Toshi, I really appreciate it !

How to block internet except one address (or IP) without using web filtering

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website