Configuring Firewall Rules

You configure a firewall at the network-policy firewall level. For more details on the command structure, see Configuring Rules Using UPL.

Admin@nodename# create network-policy firewall

Firewall rule parameters:

Parameter

Description

PASS

DENY

Firewall rule action:

  • PASS: allow the traffic

  • DENY: deny the traffic.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

Firewall rule name.

Example: name("Rule example").

desc

A description of the rule.

Example: desc("Firewall rule example configured in CLI").

ips_profile

IDPS profile. For more details about how to create and configure IDPS profiles using CLI, see Configuring IDPS Profiles.

Example: ips_profile("Test ips profile").

l7_profile

The applications profile. For more details about how to create and configure applications profiles using CLI, see Configuring Application Profiles.

Example: l7_profile("Test application-profile").

reject_with

This setting is available for rules with the DENY action:

  • reject_with(no)

  • reject_with("host_unreach"): block traffic and send an "ICMP host unreachable" message

  • reject_with("tcp_rst"): block traffic and send a "TCP connection reset" message

    Important! If Send TCP reset is selected, you need to specify a service that uses the TCP protocol (for more details about how to add and configure services, see the section "Configuring Services").

  • reject_with("tcp_reset-both"): block traffic and send a "TCP connection reset" message to both the client and the server.

scenario

Scenario that needs to be active for the rule to trigger.

To specify a scenario: scenario = "Example of a scenario".

For more details on configuring scenarios, see Configuring scenarios.

rule_log

Log traffic information if the rule is triggered. The available options are:

  • rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled.

  • rule_log(yes) or rule_log(true): log all network packets without setting any limits. To set a limit, you need to specify the number of events to be logged per time unit (s for second, min for minute, h for hour, and d for day; the minimum log limit is 5 packets per day) and the maximum number of packets logged per event. For example, rule_log(yes, "3/h", 5) enables logging with the following limits: 3 events per hour with a maximum number of packets per event of 5.

  • rule_log(session): log the session start.

fragmented

Specify packets to which the firewall rule applies:

  • fragmented(yes) or fragmented(true): apply the rule to fragmented packets only

  • fragmented(no) or fragmented(false): apply the rule to unfragmented packets only

  • fragmented(all): apply the rule to all packets.

If fragmented is not specified, the firewall rule is applied to all packets.

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

user

Users and user groups for which the firewall rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section).

Examples of adding users to a rule:

user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1")

dst.zone

Traffic destination zone.

To specify a source zone, such as Untrusted: dst.zone = Untrusted.

For more details about how to configure zones using CLI, see the Zones section.

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

service

Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring services groups).

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

To specify a service group: service = lib.service(). Provide the services group name in parentheses.

time

Set a schedule for a rule.

To set a schedule: time = lib.time(). Specify a time set group name in parentheses. For more details on configuring time sets, see Configuring time sets.

Example command to create a firewall rule using UPL:

Admin@nodename# create network-policy firewall 1 upl-rule PASS \ ...src.zone = Trusted \ ...dst.zone = Untrusted \ ...user = known \ ...service = HTTP \ ...rule_log(session) \ ...name("Test firewall rule") \ ...enabled(true) ... Admin@nodename# show network-policy firewall 1 % ----------------- 1 ----------------- PASS \ user = known \ src.zone = Trusted \ dst.zone = Untrusted \ service = HTTP \ rule_log(session) \ enabled(true) \ id("1505d309-621b-4f88-a2e4-98667c477535") \ name("Test firewall rule")