Go to course home
Setting up the firewall rules

Set up the firewall rule to manage incoming and outbound traffic

To manage incoming and outbound traffic, you can set Firewall rules at the Profile and Edge levels to permit, drop, refuse, or skip. In order to filter both incoming and outgoing traffic, the firewall rule must be validated when the stateful firewall functionality is enabled. You have complete control over which outgoing traffic is filtered using a stateless firewall. Domain names, protocols, object groups, applications, DSCP tags, interfaces, MAC addresses, ports, and VLAN IDs are all part of the firewall rule. Actions are carried out in response to data packets that meet the match conditions. A default action is applied to a packet if it does not match any parameters.

Just follow these instructions to configure a firewall rule in the Profile level of the New Orchestrator user interface.

Procedure

  • Go to Configure > Profiles on the Enterprise portal. The current Profiles are shown on the Profiles page.
  • Click the Firewall tab after selecting a profile to configure a firewall rule.
  • You can easily navigate to the Firewall page from the Profiles page by clicking the View link that is located in the Firewall column of the Profile.
  • It’s time to configure the firewall. In the part called “Firewall Rules,” click “+ NEW RULE.” The text box for Configure Rule appears.

  • Fill out the text box labeled “Rule Name” with a name that corresponds to the Rule. Select the rule that has to be duplicated from the drop-down menu labeled “Duplicate Rule” in order to generate a new firewall rule through the use of an existing rule.
  • To configure the match conditions for the rule, go to the Match section and do the following:

Field

Description

Address Type

IPv4 and IPv6 address types are chosen by default. Based on the Address Type you choose, you may configure the Source and Destination IP addresses in the following ways:

  • IPv4 – Only IPv4 names can be set as Source and Destination addresses.
  • IPv6 – Only IPv6 names can be configured as Source and Destination addresses.
  • IPv4 and IPv6 – You may configure both IPv4 and IPv6 addresses in the matching filters. You can’t change the Source or Destination IP address if you choose this mode.

Keep in mind that when you update, the firewall rules from the old version are moved to IPv4 mode.

Source

Allowing packet sources to be specified. Choose one of the following choices:

·       Any-By default, this allows addresses from any source.

·       Object Group –This lets you choose a mix of address group and port group.

If there are any domain names contained inside the selected address group, then those domain names will be disregarded throughout the matching process for the source.

 

·       Define -You can specify the source data to a certain VLAN, Interface, IPv4 or IPv6 Address, MAC Address, or Transport Port by clicking on that button. Pick one of these options:

·       VLAN – If you choose a VLAN from the drop-down menu, it will match data from that VLAN.

It takes into account both local and remote virtual local area networks (VLANs) when a firewall policy uses a virtual local area network (VLAN) to match source or destination traffic.

·       Interface and IP Address-This choice matches data from the chosen interface and IPv4 or IPv6 address.

An interface is either not active or not assigned to this segment if it is not selectable.

When you choose IPv4 and IPv6 (Mixed mode) as the Address Type, only the specified interface is used to match traffic.

In addition to the Internet Protocol (IP) address, you have the option of specifying one of the following address types according to the source traffic:

·       CIDR prefix – To have the network specified as a CIDR value (e.g., 172.10.0.0/16), select the CIDR prefix option.

·       Subnet mask – Subnet mask is an option that should be selected if you like the network to be defined based on a Subnet mask, such as 172.10.0.0 255.255.0.0.

·       Wildcard mask – This is the choice you should choose if you want to limit the devices that can be affected by a policy to those that are on different IP subnets but share the same host IP address value. Based on the flipped Subnet mask, the Wildcard mask fits an IP address or a group of IP addresses. When there is a “0” in the mask’s binary value, the value is set. When there is a “1,” the value is wild and could be either 1 or 0. In the case of an IP address of 172.0.0 and a wildcard mask of 0.0.0.255 (which is the same as 00000000.00000000.00000000.11111111), the first three octets are fixed numbers and the last octet is variable. You can only use this choice with an IPv4 address.

·       Mac Address – This feature matches traffic according to the given MAC address.

·       Transport – Looks for traffic coming from the source port or set of ports that you specify.

 

 

 

Destination

Packets can have their destinations specified using this feature. Choose from any of the following available choices:

·       Any – By default, it accepts addresses for any destination.

·       Object Group – This lets you choose a mix of address group and port group.

·       Define – This feature lets you choose which VLAN, Interface, IPv4 or IPv6 Address, Domain Name, Protocol, or Port data should go to. Pick one of these options:

·       VLAN – Matches traffic from the VLAN that is chosen from the drop-down option.

If you use a VLAN to match source or destination data in a firewall rule, it looks at both local and remote VLANs.

·       Interface – This feature matches traffic from the interface that has been set, which can be chosen from the drop-down option.

If you can’t choose an interface, it means that it is either not turned on or isn’t given to this segment.

·       IP Address – Looks for data that has the given IPv4 or IPv6 address and Domain name.

You are unable to specify an IP address as the destination if you choose IPv4 and IPv6 (Mixed mode) as the Address Type.

You can match the source traffic by specifying the IP address and one of the following address types: CIDR prefix, Subnet mask, or Wildcard mask.

You can match either the full domain name or only a part of it using the Domain Name box. Take “salesforce” as an example; it will match traffic to combine.

·       Transport – This match’s traffic coming from the source port or set of ports that you specify.

Protocol – This option matches data for the chosen protocol from the drop-down menu. GRE, ICMP, TCP, and UDP are the methods that can be used.

In Mixed mode, which includes both IPv4 and IPv6, ICMP is not supported.

Application

Select from any of the following:

·       Any – By default, this rule applies to any program.

·       Define – This feature lets you pick a program and a Differentiated Services Code Point (DSCP) flag to use a certain firewall rule.

For the firewall to make rules that match an application, it needs the DPI (Deep Packet Inspection) Engine to figure out which application a flow is part of. Most of the time, the first packet won’t help the DPI figure out what program it is. The DPI Engine normally needs the first 5–10 packets of the flow to figure out what kind of application it is. However, the firewall has to classify and forward the flow from the very first packet. This could make the first flow match a rule in the firewall list that covers a wider range of situations. Once the right application has been found, any future flows that match the same tuples will be reclassified automatically and go to the right rule.

No Attachment Found
No Attachment Found
Previous
Next
Copyright © 2024 NetworkWords. All rights reserved.