19
allowed access through it. Matching traffic from the user or members of the user group will be given access,
and matching traffic from anyone else will be denied access. For multiple user groups to be allowed access,
create a single parent group user containing all of them as members and set a single rule specifying that
parent group as the users allowed.
A shortcoming in the rule configuration does allow rules to be created that are identical in all but the user
group information. If two such rules were to be created, the first one (higher priority) would always be
matched, and the other would not work. This behavior may be changed in some future version of SonicOS to
allow rule matching on the entire rule at once so as to allow multiple allow rules for different groups.
Also note that Deny rules cannot be created that specify any user or group. The reason is that if you were to
create a rule to deny access for specific users, a user could bypass it and get access simply by logging out (a
user who is not logged in is unknown and therefore not a member of the user group to be denied). To deny
access to specific users you must create a rule with users allowed set to a user group that contains everyone
who is to be allowed access, and make sure that the users to be denied are not members of it.