SonicWall does not allow creating identical access rules with only Users Included/Excluded different. This KB article shows how this can be worked around.
Let us assume a scenario where there are two user groups, Group A and Group B. Group A must be allowed access to all Services from LAN to WAN. Group B must be allowed access to HTTP, HTTPS and DNS.
Perform the following steps to achieve this:
1. Create a user group with both Group A and Group B as members. Let's call this group All Groups 2. Create Service Group with HTTP, HTTPS and DNS as member services. Let's call this group Web Traffic. 3. Create the following LAN to WAN allow Access Rules:
Rule 1: Src=Any, Dst = Any, Srv=Web Traffic, User=All Groups
Rule 2: Src=Any, Dst = Any, Srv=Any, User=Group A
With the above rules, when members of Group A or Group B tries to browse the web, Rule 1 will be triggered and the user will be allowed.
When a member of Group A tries to login to an FTP server on the WAN, Rule 2 will be triggered and the user will be allowed.
When a member of Group B tries to login to an FTP server (or access any service other than HTTP, HTTPS or DNS) on the WAN, Rule 2 will be triggered and the user will be denied access because the traffic is not applicable to Rule 1, which is for HTTP/HTTPS/DNS, and Rule 2 allows only Group A.
This is applicable to both ULA as well as SSO based authentication.