Firewall

Using firewall rules, the administrator can allow or deny any type of transit network traffic that passes through UserGate NGFW. Source/destination zones or IP addresses, users, groups, services can all be used as conditions for the rules.

Firewall rule trigger events are displayed in the traffic log (Logs and reports ➜ Traffic) when Logging is enabled in the rule settings.

To activate IDPS or L7 FW rules, IDPS/application profiles that contain certain signature sets can be added to firewall's allow rules. When these signatures are encountered, the actions configured for them will be taken, and the corresponding entries will be made in the logs (Traffic for applications and IDPS for the IDPS), if Logging was enabled for the signatures.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note The "Negate" checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

Note If there are no rules created, all transit traffic via NGFW is blocked.

To create a firewall rule, go to the Network policies ➜ Firewall section, click Add, and provide the desired settings.

For a rule to be triggered, all conditions specified in the rule's settings must match.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Action

Deny: blocks the traffic.

Allow: allows the traffic.

Applications Profile

An application profile created earlier in the Libraries ➜ Applications profiles section.

An applications profile contains a set of relevant application signatures intended for use in firewall rules for traffic analysis at Layer 7 of the OSI model.

For more details on creating and configuring applications profiles, see the section Applications Profiles.

Important! An applications profile is an additional setting that activates traffic analysis at Layer 7 of the OSI model. It can only be used in firewall rules that allow traffic.

IDPS profile

An IDPS profile created earlier in the Libraries ➜ IDPS profiles section.

An IDPS profile is a set of relevant signatures used for detecting intrusions and protecting certain services.

For more details on creating and configuring IDPS profiles, see the section IDPS Profiles.

Important! An applications profile is an additional setting that activates an IDPS rule. It can only be used in firewall rules that allow traffic.

Reject with

This parameter is available in rules that block traffic (with the Deny action selected). It can take one of the following values:

  • Not selected.

  • Send ICMP host unreachable: block the traffic and send an ICMP message.

  • Send TCP reset: block the traffic and send a TCP connection reset message.

    Important! To select the Send TCP reset action, a service that uses the TCP protocol (the Service tab) must be selected.

  • Send TCP reset to both parties: block the traffic and send a TCP connection reset message to the client and server.

Scenario

The scenario that must be active for the rule to be triggered. For more details on how scenarios work, see the Scenarios section.

Important! A scenario is an additional condition. If the scenario was not triggered (one or more scenario triggers did not occur), the rule will not be triggered.

Logging

Logs traffic information when the rule is triggered. The available options are:

  • Log session start: only the session start (first packet) will be recorded in the traffic log. This is the recommended logging option.

  • Log all network packets: every transmitted network packet will be logged. For this mode, it is recommended to enable the logging limit to prevent high device load.

  • No. Nothing will be logged.

Source

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Users

The list of users or groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured. For more details on user identification, see the Users and Devices chapter.

Destination

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic destination.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Service

The service type, such as HTTP or HTTPS.

Time

The time periods when the rule is active.

HIP profiles

HIP profiles created in the Libraries ➜ HIP profiles section.

An HIP profile is a set of HIP objects used to check if the device meets the security (compliance) requirements.

For more details on creating and configuring HIP profiles, see the HIP Profiles section.

Important! If the HIP profile is disabled, it will be marked in gray, and the firewall rule continues to work without the compliance check.

Usage

The trigger statistics for the rule: the total trigger count, the time of the first and last trigger, and triggers by application.

To reset the trigger count, select the rules in the list and click Reset hit counts.

History

The time the rule was created and last changed as well as the related event log entries, such as rule added, rule updated, rule list position changed etc.