Add user/network rule (IPv4)

This page allows you to create firewall rules to control traffic that uses the IPv4 protocol. The firewall rules control traffic between internal and external networks and protect the network from unauthorized access. The device determines the rule to be applied based on the source and destination zone you configure in the firewall rule. Use this page to create identity-based firewall rules by applying them to users.

  1. Go to Firewall and click + Add firewall rule > User/Network rule.
  2. Enter the rule introduction details.

    Name

    Description

    Rule name

    Enter a name for the rule.

    Description

    Enter a description for the rule.

    Rule position

    Specify the position of the rule from the available options. Available options:

    • Top
    • Bottom

    Rule group

    Specify the rule group to add the firewall rule to. You can also create a new rule group by using Create new from the list.

    If you select Automatic, the firewall rule will be added to an existing group based on first match with rule type and source-destination zones.

    Action

    Specify an action for the rule traffic from the available options:

    • Accept: Allow access
    • Drop: Silently discard

      Currently, if you set Prompt unauthenticated users to sign in (Authentication > Services) to Yes, XG Firewall shows a block page rather than drop web traffic silently. The behavior applies to traffic from all zones.

    • Reject: Deny access (“ICMP port unreachable” message is sent to the source for UDP and ICMP traffic. For TCP traffic a “TCP reset” message is sent to the source).

    Responses may be sent over an interface different from the one that received the request depending on the routing configuration.

    Example: If a request is received on the LAN port using a spoofed IP address (public IP address or an IP address not in the LAN zone network) and no specific route is defined, the firewall sends a response to the hosts using the default route, that is, the WAN port.

    Note Review rule positions after a firewall rule is created automatically or manually to make sure the intended rule matches traffic criteria.

    Automatically created firewall rules, such as those for email MTA, IPsec connections, and hotspots, are placed at the top of the firewall rule list and are evaluated first. Later, if you manually create a firewall rule with Rule position set to Top or another automatically created rule, these are placed at the top of the rule table, changing rule positions. When matching criteria overlap for the new and existing rules, policies and actions of the new rule apply, leading to unplanned outcomes, such as failure in mail delivery or tunnels not being established.

  3. Enter the source details.

    Name

    Description

    Source zones

    Select the source zones allowed to the user.

    A new zone can be created directly from this page itself or from Network > Zones page.

    Source networks and devices

    Select the source networks/devices allowed to the user.

    A new network host can be created directly from this page itself or from Hosts and services.

    During scheduled time

    Select the schedule allowed to the user.

    A new schedule can be created directly from this page itself or from the Profiles > Schedule page.

  4. Enter the destination and services details.

    Name

    Description

    Destination zones

    Select the destination zones allowed to the user.

    Destination networks

    Select the destination networks allowed to the user.

    A new network host can be created directly from this page itself or from Hosts and services.

    Services

    Select the services allowed to the user.

    A new service can be created directly from this page itself or from the Hosts and services > Services page.

  5. Enter identity details. Follow this step if you want to configure a user rule.

    Name

    Description

    Match known users

    Select to enable a rule based on the user identity.

    Show captive portal to unknown users (only available if Match known users is selected)

    Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can sign in to access the internet.

    Clear the check box to drop traffic from unknown users.

    User or groups (only available if Match known users is selected)

    Select the user(s) or group(s) from the list of available options.

    Exclude this user activity from data accounting. (only available if Match known users is selected)

    If you select this, traffic allowed through this rule won't count towards data transfer accounting for the user.

    By default, a user's network traffic counts towards their data transfer.

  6. Enter web malware and content scanning details (available only if Action selected for the traffic is Accept).

    Name

    Description

    Scan HTTP

    Enable HTTP traffic scanning.

    Decrypt & scan HTTPS

    Enable HTTPS traffic decryption and scanning.

    Block Google QUIC (QUIC UDP Internet Connections)

    Disable QUIC protocol (UDP) traffic for Google services.

    Detect zero-day threats with Sandstorm

    Send files downloaded using HTTP or HTTPS for analysis by Sandstorm. Sandstorm protects your network against unknown and unpublished threats (“zero-day” threats).

    Scan FTP

    Enable FTP traffic scanning.

  7. Enter advanced settings details (available only if Action selected for the traffic is Accept).

    Name

    Description

    Intrusion prevention

    Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from Intrusion prevention > IPS policies page.

    Traffic shaping policy

    A user’s traffic shaping policy will be applied automatically if Match known users is selected.

    You need to select a traffic shaping policy or create a new one for the rule if Match known users is not selected.

    You can create a new policy from Create new > Add traffic shaping (QoS) policy. You can specify the policy association and assign the policy to either Web categories or Applications as applicable.

    Web policy

    Select a web policy for the rule.

    A new web policy can be created directly from this page itself or from the Web > Policies page.

    Apply web category based traffic shaping policy

    Click to restrict bandwidth for the URLs categorized under the web category.

    Application control

    Select an application filter policy for the rule. A new application filter policy can be created directly from this page itself or from the Applications > Application filter page.

    Apply an application-based traffic shaping policy

    Click to restrict bandwidth for the applications categorized under the application category.

    Minimum source heartbeat permitted

    Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.

    Block clients with no heartbeat

    Heartbeat-capable devices can be required to send information on their health status in defined intervals. This is called a heartbeat.

    Based on that information, you can restrict a source device’s access to certain services and networks.

    Enable/disable the option to require the sending of heartbeats.

    Minimum destination heartbeat permitted (not available if the only Destination zone selected is WAN)

    Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.

    Note You can use the option if you have selected multiple zones along with WAN.

    Block request to destination with no heartbeat (not available if the only Destination zone selected is WAN)

    Heartbeat-capable devices can be required to send information on their health status in defined intervals. This is called a heartbeat.

    Based on that information, you can block requests to destinations not sending heartbeat.

    Enable/disable the option to require the sending of heartbeats.
    Note You can use the option if you have selected multiple zones along withWAN.

    Rewrite source address (Masquerading)

    Select if you want to re-write the source address or specify a NAT policy.

    Default: Disabled

    Use gateway specific default NAT policy (available only if Masquerading is selected)

    Select to override the default NAT policy with a gateway specific policy.

    Override default NAT policy for specific gateway (available only if Use gateway specific default NAT policy is selected)

    Select to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.

    Use outbound address (available only if Rewrite source address is selected)

    Select the NAT policy to be applied from the list of available NAT policies.

    A new NAT policy can be created directly from this page itself or from the Profiles > Network address translation page.

    Default: MASQ.MASQ (Interface default IP)

    • IP address of the destination zone as configured in Network > Interfaces will be displayed instead of (Interface default IP) when single Destination zone is selected.
    • (Interface default IP) will be displayed when multiple Destination zones are selected.

    Primary gateway

    Specify the primary gateway or add a gateway host from this page itself. This is applicable only if more than one gateway is defined.

    Note On deletion of the gateway, Primary gateway will display WAN link load balance for WAN destination zone and None for other zones. In such case, firewall rule will not make routing decisions.

    Backup gateway

    Specify the backup gateway. This is applicable only if more than one gateway is defined.

    Note On deletion of the gateway, Backup gateway will display None.

    DSCP marking

    DSCP (DiffServ Code Point) classifies flow of packets as they enter the local network depending upon QoS. Flow is defined by 5 elements; source IP address, destination IP address, source port, destination port and the transport protocol.

  8. Define logging option for the user application traffic.

    Name

    Description

    Log firewall traffic

    Select to enable logging of permitted and denied traffic.

    Note Please be aware that sessions are logged when the connection is terminated upon receiving a connection "Destroy" event. This means that in the event of a connection being terminated and a "Destroy" event not being seen by the XG Firewall, such as during the loss of internet connection, the connection will not be seen in the log viewer.
  9. Click Save.