Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

To view the details of rules within a firewall policy of an edge, do the following:

1. In the Cloud Services Portal, click Manage > Service Edge > Edges

2. Click the edge and, in the panel on the right, click the  icon. Note that this panel might already have expanded when you logged in.

3. Click the profile link (in blue) to expand the section, and then click the number link next to it. The number represents the total number of firewall rules in the policy. 

The Firewall Rules dialog opens and displays the following information:

    • NAME: The name of the firewall rule associated with the edge.
    • DIRECTION: The direction of the traffic. The following are the possible values:
      • LAN → WAN: Traffic that goes out of the edge.
      • LAN ← WAN: Traffic that comes in to the edge.
      • LAN ↔ WAN: Bidirectional traffic through the edge. 
    • DESTINATIONS: The total number of destinations configured for the firewall rule. 
    • SOURCES: The configured source of the firewall rule: NetworkIdentityTags, or None.
    • ACTION: The action specified for this firewall rule:
      • PERMIT: Explicitly allows traffic that matches the rule to pass, and implicitly denies other traffic.
      • DENY: Explicitly blocks traffic that matches the rule.
      • BYPASS DAF: Bypasses DAF (DNS Assured Forwarding), which would normally block all configured traffic (not only DNS traffic) from accessing destinations that have not been resolved or validated by Infoblox DNS servers. If you start the DAF service on the edge, DAF is enabled to ensure BloxOne Threat Defense policies are properly enforced even when DoH (DNS over HTTPS) and DoT (DNS over TLS) come into play. For more information, see DNS Assured Forwarding (DAF).
    • HIT COUNT: The total number of packets that have hit the firewall rule.
    • STATUS: The current status of the firewall rule’s configuration:
      • Not Available: The firewall rule is not available. For example, you might see this status if the firewall rule was added to the policy but was later deleted and no longer exists within the policy.
      • Not Associated to Edge: The firewall rule is not associated with the edge. For example, because rules are shared among profiles, not all profiles are applicable to the edge due to how they are defined. 
      • Pending: The rule is being configured. This should take no more than five seconds to complete. 
      • Programming Success: The configuration is successful. You will see this if (1) the configuration has been successfully sent from the cloud to the edge and (2) the service edge services have been successfully deployed. 
      • Programming Failed: The configuration failed. The following are the two possible reasons: 
        • One of the modules for programming a firewall is not running properly, or communication between components is broken.
        • A firewall contains any user groups in the source attributes, and registration of user groups to the edge failed.

To fix this problem, disable and then enable the BloxOne Service Edge Firewall service on premises. If that does not resolve the problem, disable and then enable all Service Edge services. For more information, see Enabling Services for BloxOne Service Edge.

      • Invalid Direction for Bypass DAF: The action to bypass DAF was configured in the wrong direction. For example, the service parameters within the firewall rule might have been configured as incoming traffic, and this resulted in an invalid direction. Make sure that the direction of the PROTOCOL flag is set in the correct direction, according to your configuration. For more information on how to configure service parameters, see Creating Firewall Policies.
      • Only FQDN Pending Resolution: The FQDN is being resolved. For example, if the domain name is misspelled, this can cause a pending resolution. 
      • Failed Identity Registration: The specified identity did not resolve to anything meaningful for the rule to be applied. For example, this could occur if you misspelled the identity. 

4. Click Expand All Rows to see more information about the rule

  • Destinations: The configured destination port. This can be 100, any number from 1 to 65535, or ANY
  • Sources: The configured source port. This can be 100, any number from 1 to 65535, or ANY.
  • Service Objects Groups: The service object groups that were selected for the firewall rule. 
  • Service Parameters: The number of service parameters configured in the firewall rule.
  • No labels