Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

To create a firewall policy, do the following:

1. In the Cloud Services Portal, click Manage > Service Edge > Policies > Firewall Policies.

2. Click Create.

3. On the Add New Firewall Policy dialog > General tab, specify the following:

  • Name: Enter a name for the policy. Create a name that does not exceed 64 characters in length. Use numbers, any special characters, uppercase and lowercase letters, and even spaces. Start and end a name with any character but not a space. Leading and trailing spaces will be trimmed off automatically.  
  • Description: Describe the rule. This is optional. 
  • Priority: Enter a number from 1 to 65. This is the priority in which the system processes the rule. The lower the number, the higher the priority.

To achieve the protection you want for your cloud infrastructure, be sure to assign the correct priority to each firewall policy.

To avoid unexpected behavior, do not create rules that are conflicting or have the same priorities. For example, if you create a rule that allows access to facebook.com, assign the rule a priority of 10, create a rule that denies access to facebook.com, and assign the second rule a priority of 10, then the system will process the rules in an undefined manner.

4. To create a firewall rule, complete the following:

  • Navigate to the Firewall Rules tab > Add Rule drop-down. 
    • Choose one of the following:
      • Block: Choose this to deny access for the configured traffic according to your setting.
      • Allow: Choose this to allow access for the configured traffic according to your settings.
      • Bypass DAF: Choose this to bypass DNS Assured Forwarding (DAF), which would normally block all configured traffic (not only DNS traffic) from accessing destinations that have not been resolved or validated by Infoblox DNS servers. Starting the DAF service on the edge will enable DAF and ensure that BloxOne Threat Defense policies are properly enforced even when DoH (DNS over HTTPS) and DoT (DNS over TLS) come into play. For more information, see DNS Assured Forwarding (DAF).
      • Copy Rule: Copy an existing rule to add it to the respective policy.  
        1. Click Add
        2. Select or search for the policy that contains the specific rule.
        3. Select the rule and click Add.
        4. Add more rules to the respective policy, or click Save to continue.
    • Depending on the type of rule, specify the following:
      • Expand the Sources section, and choose one of the following:
        • Network: Choose this to add a specific network or network object that you have already configured. Click Add, and choose one of the following from  the TYPE drop-down list:
          • ANY: No IP address is specified, so any address or device can be the source.
          • IP: To specify the source, enter a specific IP address in the VALUE field.
          • Address Object Groups: From the VALUE list, select the address object that you have already configured.
        • Tags: Choose this to add tags that you have already configured for BloxOne resources. Supported resources are IP Space, Address Block, Subnet, Range, Fixed Address, and IPv4 Reservation. You can then reference these resources in the rule, in the form of tags or as a direct resource object. For more information, see Managing Tags.
          • Click Add, and specify the following:
          • KEY: From the drop-down menu, choose the configured tag you want to add. All available tags are displayed in the menu.
          • VALUE: Choose the corresponding value from the drop-down menu for the selected tag. All available values are displayed in the menu. To add more tags to the rule, click Add again.
      • Expand the Destination section, and choose one of the following: 
        • Network: Choose this to add a specific network or network object that you have already configured. Click Add, and specify the following:
          • TYPE: Choose one of the following from the drop-down list:
            • ANY: No IP address is specified, so any address or device can be the destination.
            • IP: To specify the destination, enter a specific IP address in the VALUE field.
            • Address Object Groups: From the VALUE list, select the address object that you have already configured. Alternatively, click Search and enter a value to search for a specific address object.
            • FQDN: Select this destination type to configure an FQDN for your firewall rule. For example, select it to allow a user group to access www.facebook.com.
            • Wildcard FQDN: Select this destination type to configure a Wildcard FQDN for your firewall rule. For example, select it to allow a user group to access *.yahoo.com.
        • Websites & Apps: Choose this to add one or more applications to the firewall rule. All available applications are grouped into categories within the AVAILABLE section. Use the arrow key to select a specific application or a category of applications, and move it to the SELECTED section. The configuration of your firewall rule applies to all selected applications.
        • Tags: Choose this to add tags that you have already configured for BloxOne resources. Supported resources are IP Space, Address Block, Subnet, Range, Fixed Address, and IPv4 Reservation. You can then reference these resources in the rule, in the form of tags or as a direct resource object For more information, see Managing Tags.
          • Click Add, and specify the following:
            • KEY: From the drop-down menu, choose the configured tag you want to add. All available tags are displayed in the menu.
            • VALUE: From the drop-down menu, choose the value that corresponds to the selected tag. All available values are displayed in the menu.
            • To add more tags to the policy, click Add again.

      • Expand the Services section, and do the following: 
        • Expand the Service Objects section, and specify the following:
          • AVAILABLE SERVICE OBJECTS: Select the available service objects that you want to add, and then use the right arrow to move them to the SELECTED SERVICE OBJECTS section. To move all service objects, use the double arrows. To remove a selected service object, click X next to it in the SELECTED SERVICE OBJECTS table. To remove all selected service objects, click the  icon.
        • Expand the Service Parameters section, and do the following:
          • Click Add and do the following:
            • PROTOCOL: Choose one of the following from the drop-down list:
              • TCP: The Transmission Control Protocol complements the Internal Protocol (IP) and provides an ordered and error-checked delivery of data among applications on devices that communicate through an IP network. Be sure to select a TCP Flag.
              • UDP: The User Datagram Protocol is an Internet Protocol that provides (1) checksums for data integrity and (2) port numbers for addressing different functions at the source and destination. Be sure to select a UDP Flag.
              • IP: IP (Internet Protocol) is the principal communication protocol that delivers data packets from the source to the destination based solely on the IP addresses in the packet headers.
              • ICMP: Routers and other network devices use the Internet Control Message Protocol to send operational information and error messages that indicate success or failure during communication between devices and IP addresses. Be sure to select an ICMP Flag.
            • SOURCE PORT: Enter a number from 1 to 65535, or type ANY.
            • DESTINATION PORT: Enter a number from 1 to 65535, or type ANY.
            • TCP FLAG: If you choose TCP from the PROTOCOL FLAG drop-down list, you must select one of the following flags:
              • NONE: No UDP flag specified. This includes all outgoing and incoming traffic that uses the UDP protocol for communication.
              • INCOMING: All incoming TCP traffic from the destination port.
              • OUTGOING: All outgoing TCP traffic from the source port.
            • UDP FLAG: If you choose UDP from the PROTOCOL FLAG drop-down list, you must select one of the following flags:
              • NONE: No UDP flag is specified. This includes all outgoing and incoming traffic that uses the UDP protocol for communication.
              • INCOMING: All incoming UDP traffic from the destination port.
              • OUTGOING: All outgoing UDP traffic from the source port.
            • ICMP FLAG: If you choose ICMP as the PROTOCOL FLAG, choose one of the following parameters to specify the type of ICMP traffic you want to track for this firewall rule:
              • NONE: No ICMP flag specified. Include all outgoing and incoming traffic that uses the ICMP protocol for communication.
              • INBOUND_TTL: Include incoming traffic that exceeds the TTL (time to live) or has the "time exceeded in transit" message.
              • INBOUND_REDIRECT: Include incoming traffic that has the "out-of-band" message for redirecting traffic to another system.
              • OUTBOUND_PING: Include outgoing ICMP echo requests from the source port.
              • ICMP_INBOUND_ALL: Include all incoming traffic from the destination port.
              • ICMP_OUTBOUND_ALL: Include all outgoing traffic from the source port.
              • ICMP_INBOUND_PING: Include incoming ICMP echo responses from the destination port.
        • Click Expand All to view additional details of the rules and Collapse All to hide them.
        • Click Save.

5. Click Next to move to the Summary tab, to ensure the policy is accurate.

6. Click Save & Close.

  • No labels