Firewall

Firewall rules

You can update existing firewall rules or add new firewall rules. You can change the rule position of custom firewall rules in the rule table. The firewall evaluates rules from top to bottom.

To add a firewall rule, select the protocol IPv4 or IPv6 and click + Add firewall rule. Select User/Network rule or Business application rule.
To clone a rule, click and click Clone above or Clone below.
To add a new network or business rule from the rule table, click and click the type of rule you want to add.
To enable or disable a rule, click and click the switch.
To edit or delete a rule, click and select the action.
To change the rule position, click and drag the rule handle ().

Table 1. Status of rules
Status	Description
Unused	Firewall hasn't found traffic that matches the rule during the past 24 hours.
Disabled	Disabled manually.
Changed	Updated during the past 24 hours.
New	Created during the past 24 hours.

You can filter the firewall rules.

To filter rules based on the protocol, click IPv4 or IPv6.
To set filters, click Enable filter, select the filters and click Apply. To view a specific rule, enter the Rule ID.

To reset all the filters, click Reset filter.
To close the filter view, click Disable filter.
To view the rule details in the rule table, pause over the icons under Features.

Firewall rule groups

You can create firewall rule groups from the rule table and from the rule template. You can add a firewall rule to a rule group or detach it from the group. User, network, and business application rules can be members of a single rule group. You can drag and drop the rule group to change its position.

To create a new rule group from the rule table, click next to a rule and click New group. Enter a name and click Move.
To add a firewall rule to an existing rule group, click . Under Add to group, select the rule group to move the firewall rule to.
To detach a firewall rule from a rule group, click and click Detach.
To edit an existing firewall rule group, click , edit the information, and then click Update. You can edit the name, description, rule type, source, or destination zone.

Note Empty rule groups can't exist. When you delete the last rule from a rule group, the firewall deletes the rule group.

Note Rule groups don't determine rule priority. The firewall evaluates rules from top to bottom.

Automatic firewall rule grouping

You can create a firewall group by defining the matching criteria, such as rule type, source, and destination zone.

When you create a firewall rule, select Automatic in Rule group to group the rule based on group matching criteria.

Note XG Firewall doesn’t use group matching criteria to manage network traffic, only to group firewall rules.

Default firewall rules

When you use the Network configuration wizard during first-time deployment, XG Firewall creates a default #Default_Network_Rule firewall rule.

Note Review rule positions after a firewall rule is created automatically or manually to make sure the intended rule matches traffic criteria.

Automatically created firewall rules, such as those for email MTA, IPsec connections, and hotspots, are placed at the top of the firewall rule list and are evaluated first. Later, if you manually create a firewall rule with Rule position set to Top or another automatically created rule, these are placed at the top of the rule table, changing rule positions. When matching criteria overlap for the new and existing rules, policies and actions of the new rule apply, leading to unplanned outcomes, such as failure in mail delivery or tunnels not being established.

Default firewall groups

When you use the Network configuration wizard during first-time deployment, XG Firewall creates these default firewall rule groups with a disabled firewall rule:

Traffic to DMZ: Inbound traffic is routed to DMZ. If you’ve specified Automatic in Rule group, firewall rules with destination zone set to DMZ are automatically added to this group based on the group matching criteria.

Traffic to WAN: Outbound traffic is routed to WAN. If you’ve specified Automatic in Rule group, firewall rules with destination zone set to WAN are automatically added to this group based on the group matching criteria.

Traffic to Internal Zones: Traffic is routed to LAN, Wi-Fi, VPN, or DMZ. If you’ve specified Automatic in Rule group, firewall rules with destination zone set to LAN, Wi-Fi, VPN, or DMZ are automatically added to this group based on the group matching criteria.

Note By default, Rule type, Source zone, and Destination zone are set to “Any”.

Note XG Firewall can’t have empty firewall rule groups. Hence, a disabled firewall rule exists in each default rule group. It doesn't impact traffic, since it is disabled. However, you can enable, modify, or delete it.

Understanding the list of firewall rules

All added rules are available in the form of a list. Each rule in the list presents a quick snapshot of the rule. Which items are available in the collapsed or expanded view is shown below.

Items in collapsed view:

ID: ID of the rule
Name: Name of the rule
- In/Out: Amount of traffic (in bytes) coming in or going out using the particular rule
Source: Source zone
Destination: Destination zone
What: Shows protected domains/services
Action: Status of protected servers, status of web, and application protection for user
Features: Status of schedule, heartbeat, IPS, and traffic shaping

To view the rule details, pause over Features.

Understanding icons


Icons	Meaning
	Business application rule is enabled.
	Business application rule is disabled.
	User rule is disabled and action is Accept.
	User rule is disabled and action is Drop or Reject.
	User rule is enabled and action is Drop or Reject.
	User rule is enabled.
	Network rule is enabled.
	Network rule is disabled and action is Accept.
	Network rule is disabled and action is Drop or Reject.
	Network rule is enabled and action is Drop or Reject.
	Antivirus scanning is disabled.
	Antivirus scanning is enabled.
	Application control is disabled.
	Application control is Accept.
	Application control is Reject.
	Application control is Drop.
	Security Heartbeat^TM is disabled or there is no restriction.
	Security Heartbeat^TM is enabled and is green.
	Security Heartbeat^TM is enabled and is yellow.
	Security Heartbeat^TM: No restriction and no heartbeat.
	Security Heartbeat^TM: No restriction and is green.
	Security Heartbeat^TM: No restriction and is yellow.
	Intrusion prevention is disabled.
	Intrusion prevention is enabled.
	NAT is disabled.
	NAT is enabled.
	Traffic shaping policy is disabled.
	Traffic shaping policy is enabled.
	Web policy is disabled.
	Web policy is allowed.
	Web policy is denied.
	Web policy is dropped.
	Routing is enabled.
	Routing is disabled.
	Firewall rule is enabled. Click to disable the rule.
	Firewall rule is disabled. Click to enable the rule.
	Expand the rule for more information.
	Collapse a rule.
	Edit a rule or group.
	Delete a rule (not applicable for default rules).
	Drag a rule to re-arrange its order.
Color Codes
Red	Rejected or dropped.
Green	Accepted or allowed.
Yellow	Dropped (related to policies).
Blue	On or enabled.
Gray	Off or disabled.

Click

for the following options to appear:

On
Off
Edit: Edits a firewall rule
Clone above
Clone below
Add a network rule before this
Add a business rule before this
Add a network rule after this
Add a business rule after this
Add to group: Lists existing groups. You can add a firewall rule to a new or existing group. You can also delete a group from the list.
- New group: Creates a firewall group with name, description, rule type, source, and destination zone. You can add existing firewall rules to the group.
Detach: Detaches a firewall rule from a group.
Delete