Add user/network rule (IPv6)

This page allows you to create firewall rules to control traffic that uses the IPv6 protocol. The firewall rules control traffic between internal and external networks and protect the network from unauthorized access. The device determines the rule to be applied based on the source and destination zone you configure in the firewall rule. Use this page to create identity-based firewall rules by applying them to users.

  1. Go to Firewall and select IPv6, using the filter switch.
  2. Click + Add firewall rule > User/Network rule.
  3. Specify the policy introduction details.
    Rule name
    Enter a name for the rule.
    Description
    Specify a description for the rule.
    Rule position
    Specify the position of the rule from the available options.
    Available options:
    • Top
    • Bottom
    Rule group
    Specify the rule group to add the firewall rule to. You can also create a new rule group by using Create new from the list.
    If you select Automatic, the firewall rule will be added to an existing group based on first match with rule type and source-destination zones.
    Action
    Specify an action for the rule traffic from the available options:
    • Accept: Allow access
    • Drop: Silently discard

      Currently, if you set Prompt unauthenticated users to sign in (Authentication > Services) to Yes, XG Firewall shows a block page rather than drop web traffic silently. The behavior applies to traffic from all zones.

    • Reject: Deny access (“ICMP port unreachable” message is sent to the source)

    Responses may be sent over an interface different from the one that received the request depending on the routing configuration.

    Example: If a request is received on the LAN port using a spoofed IP address (public IP address or an IP address not in the LAN zone network) and no specific route is defined, the firewall sends a response to the hosts using the default route, that is, the WAN port.

  4. Specify source details.
    Source zones
    Select the source zones allowed to the user.
    Source networks and devices
    Select the source networks/devices allowed to the user.
    A new network host can be created directly from this page itself by clicking Create new or from Hosts and services.
    During scheduled time
    Select the schedule allowed to the user.
    A new schedule can be created directly from this page itself or from the Profiles > Schedule page.
  5. Specify destination and services details.
    Destination zones
    Select the destination zones allowed to the user.
    Destination networks
    Select the destination networks allowed to the user.
    A new network host can be created directly from this page itself by clicking Create new or from Hosts and services.
    Services
    Select the services(s) allowed to the user.
    A new service can be created directly from this page itself or from the Hosts and services > Services page.
  6. Specify identity details.
    Match known users
    Select to enable a rule based on the user identity.
    Show captive portal to unknown users
    Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can sign in to access the internet.
    Clear the check box to drop traffic from unknown users.
    User or groups (only available if Match known users is selected)
    Select the user(s) or group(s) from the list of available options.
    Exclude this user activity from data accounting. (only available if Match known users is selected)
    Select to enable/disable user traffic activity from data accounting.
    By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic user data accounting. The traffic allowed through this rule will not be accounted towards data transfer for the user.
  7. Specify web malware and content scanning details. (only available if Action for the traffic is Accept)
    Scan HTTP
    Enable HTTP traffic scanning.
    Decrypt & scan HTTPS
    Enable HTTPS traffic decryption and scanning.
    Block Google QUIC (Quick UDP Internet Connections)
    Disable QUIC protocol (UDP) traffic for Google services.
    Detect zero-day threats with Sandstorm
    Send files downloaded using HTTP or HTTPS for analysis by Sandstorm. Sandstorm protects your network against unknown and unpublished threats (“zero-day” threats).
  8. Specify advanced settings details (only available if Action for the traffic is Accept)
    1. Specify policies for user applications.
      Intrusion prevention (IPS)
      Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from Intrusion prevention > IPS policies page.
      Traffic shaping policy
      User’s traffic shaping policy will be applied automatically if Match known users is selected.
      You need to select traffic shaping policy or create a new for the rule if Match known users is not selected.
      You can create a new policy from Create new > Add traffic shaping (QoS) policy. You can specify the policy association and assign the policy to either Web categories or Applications as applicable.
      Web policy
      Select a web policy for the rule.
      A new web policy can be created directly from this page itself or from the Web > Policies page.
      Apply web category based traffic shaping policy
      Click to restrict bandwidth for the URLs categorized under the web category.
      Application control
      Select an application filter policy for the rule. A new application filter policy can be created directly from this page itself or from the Applications > Application filter page.
      Apply application-based traffic shaping policy
      Click to restrict bandwidth for the applications categorized under the application category.
    2. Specify routing details.
      Rewrite source address (Masquerading)
      Disable if you do not want to re-write the source address or specify a NAT policy.
      Default - Enabled
      Use gateway specific default NAT policy (only if Masquerading is selected)
      Click to override the default NAT policy with a gateway specific policy.
      Override default NAT policy for specific gateway (only if Use gateway specific default NAT policy is selected)
      Enable to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.
      Use outbound address (only if Rewrite source address is selected)
      Select the NAT policy to be applied from the list of available NAT policies.
      A new NAT policy can be created directly from this page itself or from the Profiles > Network address translation page.
      Default: MASQ.
      MASQ (Interface default IP)
      • IP address of the destination zone as configured in Network > Interfaces will be displayed instead of (Interface default IP) when single Destination zone is selected.
      • (Interface default IP) will be displayed when multiple Destination zones are selected.
      Primary gateway
      Specify the primary gateway. This is applicable only if more than one gateway is defined.
      Note On deletion of the gateway, Primary gateway will display WAN link load balance for WAN destination zone and None for other zones. In such case, firewall rule will not make routing decisions.
      Backup gateway
      Specify the backup gateway. This is applicable only if more than one gateway is defined.
      Note On deletion of the gateway, Backup gateway will display None.
      DSCP marking
      Select the DSCP marking.
      DSCP (DiffServ Code Point) classifies flow of packets as they enter the local network depending upon QoS. Flow is defined by 5 elements; source IP address, destination IP address, source port, destination port and the transport protocol.
  9. Define logging option for the user application traffic.
    Log firewall traffic
    Click to enable logging of permitted and denied traffic.
  10. Click Save.