Skip to content

Fix internet access audit to recognize IP/CIDR and zone-scoped firewall rules#220

Merged
tvancott42 merged 3 commits intomainfrom
feature/fix-ip-cidr-audit
Feb 5, 2026
Merged

Fix internet access audit to recognize IP/CIDR and zone-scoped firewall rules#220
tvancott42 merged 3 commits intomainfrom
feature/fix-ip-cidr-audit

Conversation

@tvancott42
Copy link
Collaborator

@tvancott42 tvancott42 commented Feb 5, 2026
edited
Loading

Summary

  • IP/CIDR firewall rules now recognized - The internet access audit only recognized firewall rules with Source: Network. Rules that block internet via IP/CIDR-based sources (e.g., 192.168.99.0/24) were ignored, causing false "Has Internet" findings.
  • Zone-aware rule matching - Firewall rules scoped to a custom zone no longer falsely match networks in other zones. Source and destination zone checks are now centralized so all audit checks benefit.
  • Improved debug logging - Internet block detection now logs the source match type and zone info, making it easier to diagnose audit results on deployed sites.

Test plan

  • 21 new tests covering IP/CIDR sources, zone matching, zone mismatches, and null zones
  • dotnet build - 0 warnings, dotnet test - 4,594 tests pass
  • Deployed to two UCG-Fiber test sites, ran audits, verified sourceMatch=IP in logs for CIDR-based rules
  • Switched one site to FW-based Internet blocking and Isolation on a couple VLANs, verified fixes work

@tvancott42
Fix internet access audit to recognize IP/CIDR-based firewall rules
9294ca7 
IsInternetBlockedViaFirewall only checked SourceMatchingTarget == "NETWORK",
missing rules that block via IP/CIDR sources. Use AppliesToSourceNetwork()
which handles NETWORK, IP/CIDR, and ANY source types. Also fixed the same
issue in FirewallRuleAnalyzer.MatchesInternetTrafficPattern().
@tvancott42
Add zone-aware source/destination matching to firewall rule analysis
2926d71 
AppliesToSourceNetwork and AppliesToDestinationNetwork now check that the
rule's zone matches the network's zone before matching by ID, IP/CIDR, or
ANY. This prevents rules scoped to a custom zone from falsely matching
networks in other zones. Removed redundant zone checks from HasNetworkPair
since the logic is now centralized. Added InternalsVisibleTo for direct
unit testing of internal methods.
@tvancott42
Add source match type and zone info to internet block debug logging
e2b0a7b
@tvancott42 tvancott42 merged commit 2f4e4c8 into main Feb 5, 2026
1 check passed
@tvancott42 tvancott42 deleted the feature/fix-ip-cidr-audit branch February 5, 2026 19:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tvancott42