Restricting to domain with outbound policy

Greetings all,

I’m trying to configure my network so that one particular machine is allowed to access one particular WAN link in order to go to one particular domain. Outbound policy seemed like the best way to do this. However, when I open the hole for this machine to access the domain, in practice it can access any web page it wants to. I accomplished the basics of my goal by using firewall rules (allow domain.com, allow dns, deny all others) which is OK for now, but I’d like it to be able to connect when we’re on the other WAN link, and it seems like the firewall method will keep it from doing so.

My rules are set as follows:

outboundpolicyrules814×546 84.2 KB

I used the IP as well as the domain just because I wasn’t sure which would work. I included DNS mostly as a safety, but seemed like it might need it, and didn’t access anything without it.And then if it doesn’t match on those three rules it should go down to the next which enforces it only to use the other WAN connection. However, if the firewall deny rule is disabled, I can access any website I want with these rules in force. Is there something obvious I’m missing?

What are the outbound sessions for this machine to the domain under: Status> Active Sessions? The top outbound policy rule (Source = Any) will be used for any TCP 443 sessions so if this is HTTPS traffic, placing the domain rule on top should work.

Outstanding. That was a default rule that was already existing from commisioning and so I’d kind of blocked it out in my mind, but it makes total sense to me now that it would be triggering first. I’m successfully accessing everything I want to and nothing I don’t without a block all firewall rule. I won’t know for sure until we get back to dock wifi to verify we still have open access there, but it looks like this will work perfectly.

Thanks so much for helping me see what was right in front of my face! I need some help with that sometimes.