Devices not getting filtered to corrrect policy's in live sessions?
Hello, I just noticed that some of my devices are not being filtered to the correct policy in the live sessions view. But now that I think of it, the devices that are filtered incorrectly seem to have the correct policy in place. IE, my phone is unrestricted, but everything else is not.
ackage Version Last Update
Engine 1.17.6 Sep 28, 2024 10:56 AM
Database 1.18.24110713 Dec 9, 2024 7:01 PM
-
Official comment
Hi Patrick,
Thank you for reaching out and informing us about the issue.
Firstly, the policy operates using an "and" condition. It appears you have selected device category, device, and IP. Does the session include all of these? It is sufficient to add only a device, a device category, or an IP. Including all of them means the session must meet all criteria simultaneously.
Additionally, I recommend updating both OPNsense and Zenarmor to their latest versions.
Comment actions -
I have noticed that if you use a device group and have devices added manually, the policy only matches when the device is in BOTH device group and added individually. I think this is a bug, because the whole point of device groups is so that you don't have to individually add devices.
-
Hi Jason,
This occurs because of the "and" condition in the policy. A session must meet all the criteria specified in the policy. When you include devices and device groups in the policy, it will evaluate both. For instance, if you have a "laptops" policy and include "a-laptop" as a device and "laptops" as a device group, then if "b-laptop," which belongs to the "laptops" group, initiates a session, the "laptops" policy won't apply to that session because the policy specifies the criteria for "a-laptop." Only sessions associated with "a-laptop" are considered valid for this policy.
Please sign in to leave a comment.
Comments
3 comments