Device Configuration : Protect : Firewall : Add User/Network Rule (IPv4)
Add User/Network Rule (IPv4)
This page is used to define access rights and protection to the network objects/hosts.
1. Click Firewall and select IPv4 using the filter switch. Now, click on +Add Firewall Rule and select User/Network Rule.
2. Enter rule introduction.
Rule Name
Specify a name to identify the policy.
* Rule Name can only be edited while creating a rule.
Description
Specify Policy Description.
Rule Position
Specify the position of the rule from the available options.
Available Options:
* Top
* Bottom
* Rule Position can only be specified while creating a rule.
Action
Select action for the rule traffic from the available options:
Accept – Allow access (selection appears in green)
Drop – Silently discard (selection appears in yellow)
Reject – Deny access (selection appears in red)
* “ICMP port unreachable” message is sent to the source
When sending response it might be possible that the response is sent using a different interface than the one on which request was received. This may happen depending on the Routing configuration done on the device.
For example, If the request is received on the LAN port using a spoofed IP Address (public IP Address or the IP Address not in the LAN zone network) and specific route is not defined, the device will send a response to these hosts using the default route. Hence, response will be sent through the WAN port.
3. Specify Source details.
Source Zones
Select the source zone(s) allowed to the user.
Source Networks and Devices
Select the source network(s) allowed to the user.
A new network host can be created directly from this page itself or from Objects > Hosts and Services > IP Host page.
During Scheduled Time
Select the schedule allowed to the user.
A new network host can be created directly from this page itself or from Objects > Policies > Schedule page.
4. Specify Destination & Services details.
Destination Zones
Select the destination zone(s) allowed to the user.
Destination Networks
Select the destination network(s) allowed to the user.
A new network host can be created directly from this page itself or from Objects > Assets > IP Host page.
Services
Select the services(s) allowed to the user.
A new network host can be created directly from this page itself or from Objects > Hosts and Services > Services page.
5. Specify Identity details. Follow this step if you want to configure a User Rule.
Match known users
Select to enable rule based on user identity.
Show Captive Portal to unknown users
Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.
Clear the check box to drop traffic from unknown users.
User or Groups.(Applicable only when Match known users is Selected)
Select the user(s) or group(s) from the list of available options.
Exclude this user activity from data accounting. (Applicable only when Match rule based on user identity is Selected)
Select to enable/disable user traffic activity from data accounting.
By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic user data accounting. The traffic allowed through this firewall rule will not be accounted towards data transfer for the user.
6. Specify Malware Scanning details.
Scan HTTP
Enable HTTP traffic scanning.
Decrypt & Scan HTTPS
Enable HTTPS traffic decryption and scanning.
Detect zero-day threats with Sandstorm
Send files downloaded using HTTP or HTTPS for analysis by Sandstorm, it protects your network against unknown and unpublished threats (“zero-day” threats).
* This option is available when Scan HTTP or Decrypt & Scan HTTPS option is enabled.
Scan FTP
Enable FTP traffic scanning.
7. Specify Advanced details. (Applicable only when Action for the traffic is Accept)
User Applications
Intrusion Prevention
Select IPS Policy for the rule. A new Web Filter Policy can be created directly from this page itself or from Objects > Policies > IPS page.
Traffic Shaping Policy
User's Traffic Shaping policy will be applied automatically.
Web Filter (Applicable only if Match rule based on user identity is 'Disabled')
Select Web Filter Policy for the rule.
It controls access to application like IM and P2P, VOIP.
A new Web Filter Policy can be created directly from this page itself or from Objects > Policies > Web Filter Policy page.
Apply Web Category based Traffic Shaping Policy (Applicable only if Match rule based on user identity is 'Disabled')
Click to restrict bandwidth for the URLs categorized under the Web category.
A three step configuration is required as follows:
a. Create Traffic Shaping policy from Objects > Policies > Traffic Shaping . Here, specify the Policy Association as 'Web Categories'.
b. Now, assign the created policy for Web Filter.
c. Check to enable Apply Web Category based Traffic Shaping Policy.
Application Control (Applicable only if Match rule based on user identity is 'Disabled')
Select Application Filter Policy for the rule. A new Application Filter Policy can be created directly from this page itself or from Objects > Policies > Application Group page.
Apply Application-based Traffic Shaping Policy (Applicable only if Match rule based on user identity is 'Disabled')
Click to restrict bandwidth for the applications categorized under the Application category.
A three step configuration is required as follows:
a. Create Traffic Shaping policy from Objects > Policies > Traffic Shaping . Here, specify the Policy Association as 'Applications'.
b. Now, assign the created policy for Application Control.
c. Check to enable Apply Web based Traffic Shaping Policy.
Synchronized Security
Minimum Source HB Permitted
Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
Block clients with no heartbeat
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can restrict a source device's access to certain services and networks.
Select the option to require the sending of heartbeats.
Minimum Destination HB Permitted
Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
Block request to destination with no heartbeat
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can block requests to destinations not sending heartbeat.
Select the option to require the sending of heartbeats.
NAT & Routing
Rewrite source address (Masquerading)
Selectto re-write the source address or specify a NAT policy.
Use Gateway Specific Default NAT Policy (Applicable only if Masquerading is selected and Destination Zone is selected as WAN)_
Click to override the default NAT policy with a gateway specific policy.
Override default NAT policy for specific Gateway (Applicable only if Use Gateway Specific Default NAT Policy is selected )
Select to specify gateway and corresponding NAT policy. Multiple Gateways and NAT Policy can be added.
Use Outbound Address (Applicable when Rewrite source address is selected)
Select the NAT policy to be applied the list or available NAT policies.
A new NAT policy can be created directly from this page itself or from Objects > Policies > NAT page.
Default NAT policy is Masquerade.
Primary Gateway
Specify the Primary Gateway. This is applicable only if more than one gateway is defined.
Backup Gateway
Specify the Backup Gateway. This is applicable only if more than one gateway is defined.
DSCP Marking
Select the DSCP Marking. Select DSCP Marking.
DSCP (DiffServ Code Point) classifies flow of packets as they enter the local network depending upon QoS. Flow is defined by 5 elements; Source IP Address, Destination IP Address, Source port, Destination port and the transport protocol.
For available options, refer DSCP Values.
8. Define logging option for the user application traffic.
Log Firewall Traffic
Click to select logging of permitted and denied traffic.
9. Click Save to save the settings.