Create a protocol rule denying FTP for those snat_ip that you want to block. Deny rules get processed before allow rules. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the book! ----- Original Message ----- From: "Morvan Daniel Muller" <morvan@xxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, January 03, 2002 07:09 Subject: [isalist] How I can implement this case with ISA? http://www.ISAserver.org I have difficulty with ISA because isn't possible associate protocol, source and destination in the same rule. My problem is with this follow case: 1) all_snat_ips allow HTTP to any_internet_dest anytime 2) all_snat_ips allow FTP only-to my_public_ftp_server anytime 3) some_snat_ips allow FTP to any_internet_dest anytime ISA need to match one rule in "protocol rules" and in "site and content rules" to allow the request, so: * Protocol Rules FTP allow anytime applies-to(all_snat_ips) HTTP allow anytime applies-to(all_snat_ips) * Site and content Rules: RuleName = OpenAccess Destinations = All Schedule = Always Action = Allow AppliesTo = all_snat_ips HTTP Content = All content Groups I need an "OpenAccess rule" to grant HTTP to all internet destinations. But so I too permit FTP and I don't like it. The problem is that I can't associate the protocol, source and destination in the same rule and ISA don´t use sequence, only process deny before allow rules. Obs. The client set "some_snat_ips" is part of the client set "all_snat_ips". Any suggestions. Regards, Morvan Daniel Muller morvan@xxxxxxxxxxxxxxx Analista de Suporte - Softplan/Poligraph Sistema da Qualidade Certificado - ISO9001 - BRTUV/INMETRO Fone: 0XX(48)333-0389 Florianópolis - SC ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')