If you find that you are exceeding your license count and would like to block any devices that are not going to be filtered, you are in the right spot!
By default, NG Firewall will bypass any session that is "not entitled" because the license has been exceeded. "Bypassed" simply means that the layer 7 filtering (Web Filter, Application Control, Firewall, etc.) will not be applied to those sessions and these users will be allowed unfiltered access to the internet.
If you would prefer that these users are blocked from any and all internet access, then you simply need to configure the NG Firewall to do so. Here's how you can do that:
Under Config > Events > Alerts you will find a default alert rule labeled "License limit exceeded. Session not entitled"
If that rule is no longer there, here is what it should look like. The only config you may want to change is how often you receive the alert via email:
You will take the above alert and use it to tag this traffic. In the Triggers tab:
- This is the type of event that we are looking for (SessionEvent)
- Entitled is 'False'
- Action Type will typically be Tag Host (meaning that we'll tag the unique IP in question)
- cClientAddr is the IP address of the device that will get the tag
- You can name the tag anything you would like, as long as you'll recognize it
- This is the time period after which the tag will be removed from the host in question
Now that you have the "not entitled" traffic tagged, you need to tell the NG Firewall what to do with it. You have many options available to you, but here is the easiest.
Under Config > Network > Filter Rules, you will add a new rule:
- Client Tagged is referring to the cClientAddr from above
- This is the tag name that you have applied to the IP
- This is the action that you would like to have applied to this traffic
And that's it! Following these steps will allow you to block any sessions that will not be filtered by the NG Firewall due to being over your license count.
Have more questions? Submit a request