[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Firewall Profile: Set action
I would lean towards removing set unless we can think of a useful case. Juniper used set, for example to set some part of the config (not necessarily just rules). Is there some config option that we just have to set that I havent thought of?
So, I thought of one example, this is setting a blacklist in palo alto firewalls: https://live.paloaltonetworks.com/t5/Featured-Articles/PAN-OS-8-0-IP-Block-List-Feeds/ta-p/129616
-Alex From: openc2-actuator@lists.oasis-open.org <openc2-actuator@lists.oasis-open.org> on behalf of Brule, Joseph M <jmbrule@radium.ncsc.mil>
Sent: Tuesday, April 17, 2018 4:28:18 PM To: 'openc2-actuator@lists.oasis-open.org' Subject: [openc2-actuator] Firewall Profile: Set action All,
QUESTION ONE: I would like to remove the set action from this profile. Do you think the ‘set’ action needs to be included in the 'stateless-packet-filtering' (aka firewall) profile?
QUESTION TWO: If you believe that the set action is applicable to the firewall profile, please identify if it should be required, optional and suggested target type(s)
BACKGROUND: The following is NOT consensus attained from the actuator profile subcommittee nor any subset of the subcommittee. The following is my personal opinion only and request confirmation or rebuttal.
In the context of the stateless-packet-filtering: I do not see the utility of including ‘set’ in this profile. Stateless packet filtering is about as simple as you get. You would want to ‘set’ the firewall rules, but that is more appropriately is covered by the ‘deny’ and ‘allow’.
Should we leave the ‘set’ action out for now? It can always be added later should we learn from our early implementers that it is in fact needed.
Please advise
VR
Joe B
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]