Allowing Overlapping External Subnets When Defining Security Policy Scope
- Gary Leicht
This document explains the conditions under which overlapping external subnets can be included in a security policy scope and the precedence rules governing their application.
Notes
The highest precedence security policy takes effect when multiple policies overlap.
Subnets not allocated to an existing policy can be assigned to another security policy under the same account.
Public IP addresses or subnets cannot overlap between organizations.
Notifications are generated when an attempt is made to add an already registered public IP address or subnet.
When defining the scope of a security policy for an external network protected by a DNS firewall, overlapping subnets that contain IP addresses, hosts, or subnets defined in other security policies within the organization can be included. The precedence of security policies determines which policy takes effect, ensuring that the policy with the highest precedence is applied to the respective IP addresses, hosts, or subnets. Additionally, subnets that are not assigned to any existing security policy can be added to a different security policy under the same account.
If a public IP address or subnet is mistakenly added to an organization's security policy and has already been registered by another organization, the system prevents its addition. In this case, the organization attempting to add the IP address or subnet receives a notification, as overlapping public IP addresses or subnets between organizations are not permitted.
For more information on network scope, see Configuring Network Scopes.