I am curious if there is a way for a rule later in the Traffic Sequence to override previously declared rules.
I am trying to add some behavior to the Firewall Rules and found out that an AS whitelist rule we declared in the ‘IP Access Rules’ seems to be causing all down chain rules to be circumvented. So the flow I have is
We get a request from an AS of interest call it AS1
In IP Access Rules we specifically want to white list AS1 for all websites in this account.
But within a specific site we would like to add a Firewall rule for this same AS
What I have seen in testing is that because of the IP Access Rule that ‘Allows’ everything from AS1 my Firewall Rule is not invoked.
A solution we tossed around is removing the IP Access Rule and then adding an analogous Firewall rule to each website that Allows traffic from AS1. That way on the site I want different behavior on I can use the order of the Firewall Rules to both inspect and block some traffic and allow the rest from AS1.
While logically this seems like it would work it is a PITA to add a firewall rule to all sites when the IP Access Rule allows me to add this behavior to all sites with a single rule.
Feels like a feature request would be to add an option IP Access Rule of “All except this site” and or some way for a Firewall Rule to be invoked even though the AS the firewall rule is acting on is ‘Allowed’ earlier in the Traffic Sequence.