Configuring Firewall Rules for Firewall Policies

To configure firewall rules for firewall policies, do the following:

In the Firewall Rules tab, select one of the following from the Add Rule drop-down:
- Block: Choose this to deny access for the configured traffic according to your setting.
- Allow: Choose this to allow access for the configured traffic according to your settings.
- Copy Rule: Copy an existing rule to add it to the respective policy.
  1. Click Add.
  2. Select or search for the policy that contains the specific rule.
  3. Select the rule and click Add.
  4. Add more rules to the respective policy, or click Save to continue.
Depending on the type of the rule, specify the following:
1. In the General Settings tab, provide a name in the Rule Name field.
2. In the Sources tab, do the following:
  1. In the Incoming Interface Label text box, create a name for the label. To add more labels, click the Incoming Interface Label link. A label can be associated with more than one interface. The flows will be programmed accordingly and applicable to all interfaces that have this label. For example, you can specify a behavior that consists of two rules:
    1. Create an allow rule, and in General Settings, specify “allow lan” in the Rule Name, click Next, type “lan” in the Incoming Interface Label, and then click Finish.
    2. Create a block rule, and in General Settings, specify “block wan” in the Rule Name, click Next, type “wan” in the Incoming Interface Label, and then click Finish.
      
      If no labels are added for the source or destination level, the rule will be applicable to all interfaces. The default behavior is to block all traffic. To allow any traffic, users will need to add a firewall rule. Here are examples:
      - Example 1:
        Suppose you want to allow all traffic from interfaces labelled as LAN. You can specify a behavior that consists of one rule: Create an allow rule and, in General Settings, specify “allow lan” in the Rule Name, click Next, type “lan” in the Incoming Interface Label, and then click Finish.
      - Example 2:
        Suppose you want to allow some specific site, such as “http://google.com “, from all source interface labels. You can specify a behavior that consists of one rule: Create an allow rule and, in General Settings, specify “allow lan” in the Rule Name, click Next, type “lan” in the Incoming Interface Label, specify destination FQDN as “http://google.com ”, and then click Finish.
  2. Under the Network option, do the following:
    1. Click Add.
    2. In the Type column, click the Select List pull-down list, and select one of the following:
      1. ANY: No IP address is specified, so any address or device can be the destination.
      2. IP: To specify the destination, enter a specific IP address in the VALUE field.
      3. Address Object Groups: From the VALUE list, select the address object that you have already configured. Alternatively, click Search and enter a value to search for a specific address object.
  3. Under the User Groups option, add one or more user groups to the firewall rule. All available groups are listed in the AVAILABLE section. Use the arrow key to move a specific group to the SELECTED section. The configuration of your firewall rule will apply to all user groups you select.
  4. Under the Tags option, choose a tags that you have already configured for BloxOne resources. Supported resources are IP Space, Address Block, Subnet, Range, Fixed Address, and IPv4 Reservation. You can then reference these resources in the rule, in the form of tags or as a direct resource object. For more information, see Managing Tags.
3. Click Next.
4. In the Destinations tab, do the following:
  1. In the Outgoing Interface Label text box, create a name for the label. To add more labels, click the Outgoing Interface Label link. A label can be associated with more than one interface. The flows will be programmed accordingly and applicable to all interfaces that have this label. For example, you can specify a behavior that consists of two rules:
    1. Create an allow rule, and in General Settings, specify “allow lan” in the Rule Name, click Next, type “lan” in the Outgoing Interface Label, and then click Finish.
    2. Create a block rule, and in General Settings, specify “block wan” in the Rule Name, click Next, type “wan” in the Outgoing Interface Label, and then click Finish.
      Example:
      Suppose you want to allow all traffic towards interfaces labelled as WAN. You can specify a behavior that consists of one rule: Create an allow rule and, in General Settings, specify “allow wan” in the Rule Name, click Next, type “wan” in the Outgoing Interface Label, and then click Finish.
  2. Under the Network option, do the following:
    1. Click Add.
    2. In the Type column, click the Select List pull-down list, and select one of the following:
      1. ANY: No IP address is specified, so any address or device can be the destination.
      2. IP: To specify the destination, enter a specific IP address in the VALUE field.
      3. Address Object Groups: From the VALUE list, select the address object that you have already configured. Alternatively, click Search and enter a value to search for a specific address object.
      4. FQDN: Select this destination type to configure an FQDN for your firewall rule. For example, select it to allow a user group to access Facebook.
      5. Wildcard FQDN: Select this destination type to configure a Wildcard FQDN for your firewall rule. For example, select it to allow a user group to access *.yahoo.com.
  3. Under the Websites & Apps option, add one or more applications to the firewall rule. All available applications are grouped into categories within the AVAILABLE section. Use the arrow key to select a specific application or a category of applications, and move it to the SELECTED section. The configuration of your firewall rule applies to all selected applications.
  4. Under the Tags option, choose a tags that you have already configured for BloxOne resources. Supported resources are IP Space, Address Block, Subnet, Range, Fixed Address, and IPv4 Reservation. You can then reference these resources in the rule, in the form of tags or as a direct resource object. For more information, see Managing Tags.the following:
5. Click Next.
6. In the Services tab, do the following:
  1. Under the Service Groups option, do the following: In the SERVICE GROUPS dialog, add one or more service groups to the firewall rule. All available groups are listed in the AVAILABLE section. Use the arrow key to move a specific group to the SELECTED section. The configuration of your firewall rule will apply to all user groups you select.
  2. Under the Service Parameters option, do the following:
    1. Click Add and specify the following:
      1. PROTOCOL: Choose one of the following from the drop-down list:
        TCP: The Transmission Control Protocol complements the Internal Protocol (IP) and provides an ordered and error-checked delivery of data among applications on devices that communicate through an IP network. Be sure to select a TCP Flag.
        UDP: The User Datagram Protocol is an Internet Protocol that provides (1) checksums for data integrity and (2) port numbers for addressing different functions at the source and destination. Be sure to select a UDP Flag.
        IP: IP (Internet Protocol) is the principal communication protocol that delivers data packets from the source to the destination based solely on the IP addresses in the packet headers.
        ICMP: Routers and other network devices use the Internet Control Message Protocol to send operational information and error messages that indicate success or failure during communication between devices and IP addresses. Be sure to select an ICMP Flag.
      2. SOURCE PORT: Enter a number from 1 to 65535, or type ANY.
      3. DESTINATION PORT: Enter a number from 1 to 65535, or type ANY.
      4. TCP FLAG: If you choose TCP from the PROTOCOL FLAG drop-down list, you must select one of the following flags:
        NONE: No UDP flag specified. This includes all outgoing and incoming traffic that uses the UDP protocol for communication.
        INCOMING: All incoming TCP traffic from the destination port.
        OUTGOING: All outgoing TCP traffic from the source port.
      5. UDP FLAG: If you choose UDP from the PROTOCOL FLAG drop-down list, you must select one of the following flags:
        NONE: No UDP flag is specified. This includes all outgoing and incoming traffic that uses the UDP protocol for communication.
        INCOMING: All incoming UDP traffic from the destination port.
        OUTGOING: All outgoing UDP traffic from the source port.
      6. ICMP FLAG: If you choose ICMP as the PROTOCOL FLAG, choose one of the following parameters to specify the type of ICMP traffic you want to track for this firewall rule:
        NONE: No ICMP flag specified. Include all outgoing and incoming traffic that uses the ICMP protocol for communication.
        INBOUND_TTL: Include incoming traffic that exceeds the TTL (time to live) or has the "time exceeded in transit" message.
        INBOUND_REDIRECT: Include incoming traffic that has the "out-of-band" message for redirecting traffic to another system.
        OUTBOUND_PING: Include outgoing ICMP echo requests from the source port.
        ICMP_INBOUND_ALL: Include all incoming traffic from the destination port.
        ICMP_OUTBOUND_ALL: Include all outgoing traffic from the source port.
        ICMP_INBOUND_PING: Include incoming ICMP echo responses from the destination port.
    2. Click Expand All to view additional details of the rules and Collapse All to hide them.
Click Next.
In the Rule Summary tab, review the configuration of the rule(s) you have just created.
Click Save.