Operation: Add firewall rule / Edit firewall rule
Description: Create or edit firewall rule. 

Sample Configuration
<FirewallRule> <Name>rulename</Name> <Description>rule description</Description> <Status>Disable/Enable</Status> <IPFamily>IPv4/IPv6</IPFamily> <Position>top/bottom/after/before</Position> <!-- After and Before Tag Apply only for Set Request --> <After> <Name>Policy name after which Policy Inserted </Name> </After> <Before> <Name>Policy name before which Policy Inserted </Name> </Before> <PolicyType>User/Network/HTTPBased</PolicyType> <!-- User based Policy Start--> <UserPolicy> <Action>Accept/Reject/Drop</Action> <LogTraffic>Enable/Disable</LogTraffic> <SkipLocalDestined>Enable/Disable</SkipLocalDestined> <SourceZones> <Zone>Any/LAN/DMZ/VPN/WAN</Zone> <Zone>Any/LAN/DMZ/VPN/WAN</Zone> </SourceZones> <SourceNetworks> <Network>Source Network</Network> <Network>Source Network</Network> : </SourceNetworks> <Services> <Service>servicename</Service> : </Services> <Schedule>All The Time</Schedule> <DestinationZones> <Zone>Any/WAN/LAN/LOCAL/VPN</Zone> <Zone>Any/WAN/LAN/LOCAL/VPN</Zone> </DestinationZones> <DestinationNetworks> <Network>Destinaiton Network</Network> <Network>Destinaiton Network</Network> : </DestinationNetworks> <Exclusions> <SourceZones> <Zone>WAN/LAN/LOCAL/VPN</Zone> <Zone>WAN/LAN/LOCAL/VPN</Zone> : </SourceZones> <DestinationZones> <Zone>WAN/LAN/LOCAL/VPN</Zone> <Zone>WAN/LAN/LOCAL/VPN</Zone> : </DestinationZones> <SourceNetworks> <Network>Source Network</Network> <Network>Source Network</Network> : </SourceNetworks> <Services> <Service>servicename</Service> : </Services> <DestinationNetworks> <Network>Destinaiton Network</Network> <Network>Destinaiton Network</Network> : </DestinationNetworks> </Exclusions> <!-- User based policy --> <MatchIdentity>Enable/Disable</MatchIdentity> <ShowCaptivePortal>Enable/Disable</ShowCaptivePortal> <Identity> <Member>users/groups</Member> : </Identity> <DataAccounting>Include/Exclude</DataAccounting> <!-- WebFiltering --> <WebFilter>Allow All</WebFilter> <WebCategoryBaseQoSPolicy>Apply/Revoke</WebCategoryBaseQoSPolicy><!-- this tag is only appliacable only when any WebFilter is selected. --> <BlockQuickQuic>Enable/Disable</BlockQuickQuic> <ScanVirus>Enable/Disable</ScanVirus> <Sandstorm>Enable/Disable</Sandstorm> <ScanFTP>Enable/Disable</ScanFTP> <ProxyMode>Enable/Disable</ProxyMode> <DecryptHTTPS>Enable/Disable</DecryptHTTPS> <!-- Synchronized Security --> <SourceSecurityHeartbeat>Enable/Disable</SourceSecurityHeartbeat> <MinimumSourceHBPermitted /> <DestSecurityHeartbeat>Enable/Disable</DestSecurityHeartbeat> <MinimumDestinationHBPermitted /> <!-- Security Features --> <ApplicationControl>Allow All</ApplicationControl> <ApplicationBaseQoSPolicy>Apply/Revoke</ApplicationBaseQoSPolicy><!-- this tag is only appliacable only when any ApplicationFilter is selected. --> <IntrusionPrevention>None</IntrusionPrevention> <TrafficShapingPolicy>None</TrafficShapingPolicy> <DSCPMarking>0-Best Effort/1/2/3/4/5/6/7/8-Class 1(CS1)/9/10-Class 1,Gold(AF11)/11/12-Class1,Silver(AF12)/13/14-Class 1,Bronze(AF13)/15/16-Class 2(CS2)/17/18-Class 2,Gold(AF21)/19/20-Class 2,Silver(AF22)/21/22-Class 2,Bronze(AF23)/23/24-Class 3(CS3)/25/26-Class 3,Gold(AF31)/27/28-Class 3,Silver(AF32)/29/30-Class 3,Bronze(AF33)/31/32-Class 4(CS4)/33/34-Class 4,Gold(AF41)/35/36-Class 4,Silver(AF42)/37/38-Class 4,Bronze(AF43)/39/40-Class 5(CS5)/41/42/43/44/45/46-Expedited Forwarding(EF)/47/48-Control(CS6)/49/50/51/52/53/54/55/56-Control(CS7)/57/58/59/60/61/62/63</DSCPMarking> <!-- Email Scanning --> <ScanSMTP>Enable/Disable</ScanSMTP> <ScanSMTPS>Enable/Disable</ScanSMTPS> <ScanIMAP>Enable/Disable</ScanIMAP> <ScanIMAPS>Enable/Disable</ScanIMAPS> <ScanPOP3>Enable/Disable</ScanPOP3> <ScanPOP3S>Enable/Disable</ScanPOP3S> </UserPolicy> <!-- User based Policy End--> <!-- Network Policy Start--> <NetworkPolicy> <Action>Accept/Reject/Drop</Action> <LogTraffic>Enable/Disable</LogTraffic> <SkipLocalDestined>Enable/Disable</SkipLocalDestined> <SourceZones> <Zone>Any/LAN/DMZ/VPN/WAN</Zone> <Zone>Any/LAN/DMZ/VPN/WAN</Zone> </SourceZones> <SourceNetworks> <Network>Source Network</Network> <Network>Source Network</Network> : </SourceNetworks> <Services> <Service>servicename</Service> : </Services> <Schedule>All The Time</Schedule> <DestinationZones> <Zone>Any/WAN/LAN/LOCAL/VPN</Zone> <Zone>Any/WAN/LAN/LOCAL/VPN</Zone> </DestinationZones> <DestinationNetworks> <Network>Destinaiton Network</Network> <Network>Destinaiton Network</Network> : </DestinationNetworks> <Exclusions> <SourceZones> <Zone>WAN/LAN/LOCAL/VPN</Zone> <Zone>WAN/LAN/LOCAL/VPN</Zone> : </SourceZones> <DestinationZones> <Zone>WAN/LAN/LOCAL/VPN</Zone> <Zone>WAN/LAN/LOCAL/VPN</Zone> : </DestinationZones> <SourceNetworks> <Network>Source Network</Network> <Network>Source Network</Network> : </SourceNetworks> <Services> <Service>servicename</Service> : </Services> <DestinationNetworks> <Network>Destinaiton Network</Network> <Network>Destinaiton Network</Network> : </DestinationNetworks> </Exclusions> <!-- WebFiltering --> <WebFilter>Allow All</WebFilter> <WebCategoryBaseQoSPolicy>Apply/Revoke</WebCategoryBaseQoSPolicy><!-- this tag is only appliacable only when any WebFilter is selected. --> <BlockQuickQuic>Enable/Disable</BlockQuickQuic> <ScanVirus>Enable/Disable</ScanVirus> <Sandstorm>Enable/Disable</Sandstorm> <ScanFTP>Enable/Disable</ScanFTP> <ProxyMode>Enable/Disable</ProxyMode> <DecryptHTTPS>Enable/Disable</DecryptHTTPS> <!-- Synchronized Security --> <SourceSecurityHeartbeat>Enable/Disable</SourceSecurityHeartbeat> <MinimumSourceHBPermitted /> <DestSecurityHeartbeat>Enable/Disable</DestSecurityHeartbeat> <MinimumDestinationHBPermitted /> <!-- Security Features --> <ApplicationControl>Allow All</ApplicationControl> <ApplicationBaseQoSPolicy>Apply/Revoke</ApplicationBaseQoSPolicy><!-- this tag is only appliacable only when any ApplicationFilter is selected. --> <IntrusionPrevention>None</IntrusionPrevention> <TrafficShapingPolicy>None</TrafficShapingPolicy> <DSCPMarking>0-Best Effort/1/2/3/4/5/6/7/8-Class 1(CS1)/9/10-Class 1,Gold(AF11)/11/12-Class1,Silver(AF12)/13/14-Class 1,Bronze(AF13)/15/16-Class 2(CS2)/17/18-Class 2,Gold(AF21)/19/20-Class 2,Silver(AF22)/21/22-Class 2,Bronze(AF23)/23/24-Class 3(CS3)/25/26-Class 3,Gold(AF31)/27/28-Class 3,Silver(AF32)/29/30-Class 3,Bronze(AF33)/31/32-Class 4(CS4)/33/34-Class 4,Gold(AF41)/35/36-Class 4,Silver(AF42)/37/38-Class 4,Bronze(AF43)/39/40-Class 5(CS5)/41/42/43/44/45/46-Expedited Forwarding(EF)/47/48-Control(CS6)/49/50/51/52/53/54/55/56-Control(CS7)/57/58/59/60/61/62/63</DSCPMarking> <!-- Email Scanning --> <ScanSMTP>Enable/Disable</ScanSMTP> <ScanSMTPS>Enable/Disable</ScanSMTPS> <ScanIMAP>Enable/Disable</ScanIMAP> <ScanIMAPS>Enable/Disable</ScanIMAPS> <ScanPOP3>Enable/Disable</ScanPOP3> <ScanPOP3S>Enable/Disable</ScanPOP3S> </NetworkPolicy> <!-- Network Policy End--> <!-- WAF Policy Start --> <HTTPBasedPolicy> <!--HTTP base policy is only applicable for IPv4--> <HostedAddress>Address</HostedAddress> <HTTPS>Enable/Disable</HTTPS> <RedirectHTTP>Enable/Disable</RedirectHTTP> <ListenPort>80</ListenPort> <Domains> <Domain /> <Domain /> : </Domains> <!--Use Either Authentication,AllowFrom,BlockFrom or AccessPaths --> <SourceNetworks> <Network /> <Network /> : </SourceNetworks> <ExceptionNetworks> <Network /> <Network /> : </ExceptionNetworks> <AccessPaths> <AccessPath><!-- At present AccessPath Attributes are name as it is in database and values of enable/disable is mapped as 1/0. --> <path>/access</path> <backend /> <backend /> <auth_profile /> <allowed_networks /> <allowed_networks /> : <denied_networks /> <denied_networks /> : <stickysession_status>1/0</stickysession_status> <hot_standby>1/0</hot_standby> <websocket_passthrough>1/0</websocket_passthrough> </AccessPath> <AccessPath> <Path>/useraccess</Path> <backend /> <backend /> <auth_profile /> <allowed_networks /> <allowed_networks /> : <denied_networks /> <denied_networks /> : <stickysession_status>1/0</stickysession_status> <hot_standby>1/0</hot_standby> <websocket_passthrough>1/0</websocket_passthrough> </AccessPath> : </AccessPaths> <Exceptions> <Exception> <!-- At present Exception Attributes are name as it is in database and values of enable/disable is mapped as 1/0. --> <path>psql</path> <path>abcd</path> <op>and/or</op> <source /> <source /> <skip_threats_filter_categories>application_attacks</skip_threats_filter_categories> <skip_threats_filter_categories>sql_injection_attacks</skip_threats_filter_categories> <skip_threats_filter_categories>xss_attacks</skip_threats_filter_categories> <skip_threats_filter_categories>protocol_enforcement</skip_threats_filter_categories> <skip_threats_filter_categories>scanner_detection</skip_threats_filter_categories> <skip_threats_filter_categories>data_leakages</skip_threats_filter_categories> <skipav>1</skipav> <skipbadclients>0</skipbadclients> <skipcookie>1</skipcookie> <skipform>0</skipform> <skipurl>1</skipurl> </Exception> <Exception> : : </Exception> : </Exceptions> <ProtocolSecurity /> <CompressionSupport>Disable/Enable</CompressionSupport> <RewriteHTML>Enable/Disable</RewriteHTML> <RewriteCookies>Enable/Disable</RewriteCookies> <PassHostHeader>Enable/Disable</PassHostHeader> <IntrusionPrevention>None</IntrusionPrevention> <TrafficShapingPolicy>None</TrafficShapingPolicy> </HTTPBasedPolicy> <!-- WAF Policy End --> </FirewallRule>



Parameter Mandatory Default Description
NameYes  
Specify a name to identify the Security Policy.
Name confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Character not allowed: Comma (,)
  • Maximum characters allowed are 60.
  • UTF-8 character(s) are allowed.
DescriptionNo  
Specify description for the Security Policy.
pathYes  
Enter the path for which you want to create the site path route. Example: /products/.
confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Character not allowed: Comma (,)
  • Maximum characters allowed are 63.
  • UTF-8 character(s) are allowed.
HTTPSYes Disable 
Click to enable or disable scanning of HTTPS traffic.
HTTPS confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
HostedAddressYes  
Select the interface of the hosted server to which the rule applies. It is the public IP address through which Internet users access the internal server/host.
HostedAddress confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
auth_profileNo  
Select the Authentication Policy. Select Create new to create a new Authentication Policy.
confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
AuthenticationNo  
Select the Authentication Policy. Select Create new to create a new Authentication Policy.
Authentication confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
skipurlNo Disable 
Select this to skip 'Static URL Hardening'. Static URL Hardening protects against URL rewriting.
confines to:
  • Type is 'SCALAR'.
  • Only '0', '1' are allowed.
skipformNo Disable 
Click to skip 'Form Hardening'. Form hardening protects against web form rewriting.
confines to:
  • Type is 'SCALAR'.
  • Only '0', '1' are allowed.
PassHostHeaderNo Disable 
When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server.
PassHostHeader confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
skipavNo Disable 
Click this to skip 'Anti-Virus'. Anti-Virus is used to protect a web server against viruses.
confines to:
  • Type is 'SCALAR'.
  • Only '0', '1' are allowed.
ApplicationBaseQoSPolicyNo  
Select to limit the bandwidth for the applications categorized under the Application Category.
ApplicationBaseQoSPolicy confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
skiphtmlrewriteNo Disable 
If selected, no data matching the defined exception settings will be modified by the WAF engine.
confines to:
  • Type is 'SCALAR'.
  • Only '0', '1' are allowed.
RedirectHTTPNo Disable 
Click to redirect HTTP requests.
RedirectHTTP confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
DSCPMarkingNo NULL 
Select DSCP Marking to classify flow of packets based on Traffic Shaping policy.
DSCPMarking confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
SourceSecurityHeartbeatNo OFF 
Enable/Disable to require the sending of heartbeats.
SourceSecurityHeartbeat confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
ApplicationControlNo NULL 
Select Application Filter Policy for the rule.
ApplicationControl confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
MemberNo  
Select the user(s) or group(s) from the list of available options.
Member confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 256.
  • Multiple values are allowed.
NetworkNo  
Select the source networks to which the rule won't apply.
Network confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 60.
  • Multiple values are allowed.
DecryptHTTPSNo OFF 
Select to decrypt traffic with HTTPS protocol.
DecryptHTTPS confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
migratedpolicyrouteNo  
Specify 'migratedpolicyroute'
confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
SkipLocalDestinedNo  
Select if you don't want to apply the firewall rule when appliance IP address is the destination.
SkipLocalDestined confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
RewriteCookiesNo Enable 
Select this option to have the device rewrite cookies of the returned webpages.
RewriteCookies confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
stickysession_statusNo  
Select this option to ensure that each session will be bound to one web server.
confines to:
  • Type is 'SCALAR'.
  • Only '0', '1' are allowed.
NetworkNo  
Specify Exception Host/Network Address to which rule is not to be applied.
Network confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 60.
  • Multiple values are allowed.
ZoneNo  
Select the destination zones to which the rule won't apply.
Zone confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Multiple values are allowed.
WebCategoryBaseQoSPolicyNo  
Select to limit bandwidth for the URLs categorized under the Web category.
WebCategoryBaseQoSPolicy confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
skipcookieNo Disable 
Select this to 'Skip Cookie Signing'. Cookie signing protects a web server against manipulated cookies.
confines to:
  • Type is 'SCALAR'.
  • Only '0', '1' are allowed.
websocket_passthroughNo  
Select this option to enable Websocket passthrough.
confines to:
  • Type is 'SCALAR'.
  • Only '0', '1' are allowed.
ScanPOP3No OFF 
Enable/Disable scanning of POP3 traffic.
ScanPOP3 confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
ServiceNo  
Select the services or service groups to which the rule won't apply.
Service confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 60.
  • Multiple values are allowed.
BlockQuickQuicNo OFF 
Ensure Google websites user HTTP/s instead of QUICK QUIC
BlockQuickQuic confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
MinimumSourceHBPermittedNo NoRestriction 
Select a minimum health status that a device must have to conform to this policy.
MinimumSourceHBPermitted confines to:
  • Type is 'SCALAR'.
  • Only 'GREEN', 'YELLOW', 'No Restriction' are allowed.
ShowCaptivePortalNo OFF 
Select to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.
ShowCaptivePortal confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
NetworkNo  
Select the destination networks to which the rule won't apply.
Network confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 60.
  • Multiple values are allowed.
ScanSMTPSNo OFF 
Enable/Disable scanning of SMTPS traffic.
ScanSMTPS confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
NetworkNo  
Select the allowed source network(s).
Network confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 60.
  • Multiple values are allowed.
DestSecurityHeartbeatNo OFF 
Enable/Disable to require the sending of heartbeats.
DestSecurityHeartbeat confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
ScanIMAPNo OFF 
Enable/Disable scanning of IMAP traffic.
ScanIMAP confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
ScanFTPNo OFF 
Enable/Disable scanning of FTP traffic.
ScanFTP confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
ScanSMTPNo OFF 
Enable/Disable scanning of SMTP traffic.
ScanSMTP confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
PolicyTypeYes  
Select the type of policy.
PolicyType confines to:
  • Type is 'SCALAR'.
  • Only 'Network', 'User', 'HTTPBased' are allowed.
ZoneNo  
Select the source zone(s) allowed to the user.
Zone confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Multiple values are allowed.
StatusNo ON 
Enable/Disable the policy.
Status confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
RewriteHTMLNo Disable 
Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid.
RewriteHTML confines to:
  • Type is 'SCALAR'.
  • Only '0', 'Enable' are allowed.
ScanPOP3SNo OFF 
Enable/Disable scanning of POP3S traffic.
ScanPOP3S confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
MinimumDestinationHBPermittedNo NoRestriction 
Select a minimum health status that a device must have to conform to this policy.
MinimumDestinationHBPermitted confines to:
  • Type is 'SCALAR'.
  • Only 'GREEN', 'YELLOW', 'No Restriction' are allowed.
ScanIMAPSNo OFF 
Enable/Disable scanning of IMAPS traffic.
ScanIMAPS confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
WebFilterInternetSchemeNo 
Select internet scheme to apply user based Web Filter Policy for the rule.
WebFilterInternetScheme confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
hot_standbyNo  
Select this option if you want to send all requests to the first selected web server, and use the other web servers only as a backup.
confines to:
  • Type is 'SCALAR'.
  • Only '0', '1' are allowed.
sourceNo  
Specify the source networks where the client request comes from and which are to be exempted from the selected check(s).
confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Multiple values are allowed.
WebFilterNo NULL 
Select Web Filter Policy for the rule.
WebFilter confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
ZoneNo  
Select the destination zone(s) for the Rule.
Zone confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Multiple values are allowed.
TrafficShappingPolicy/TrafficShapingPolicyNo NULL 
Select Traffic Shaping policy for the rule.
TrafficShappingPolicy/TrafficShapingPolicy confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
MatchIdentityNo OFF 
Enable to check whether the specified user/user group from the selected zone is allowed to access the selected service or not.
MatchIdentity confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
DomainsYes  
Enter the domains the web server is responsible for as FQDN.
Domains confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Multiple values are allowed.
Note:
According to the selected HTTPS certificate, some domains may be preselected. You can edit or delete these domains or add new ones..
ListenPortYes 80 if 'HTTPS' is disabled or 443 is 'HTTPS' is enabled. 
Enter a port number on which the hosted web server can be reached externally, over the Internet.
ListenPort confines to:
  • Type is 'SCALAR'.
  • Datatype is 'INTEGER'.
  • Range 1 to 65535 is allowed.
DataAccountingNo OFF 
Select to exclude user's network traffic from data accounting.
DataAccounting confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
Note:
This option is available only if the parameter 'Match rule-based on user identity' is enabled..
ScanVirusNo OFF 
Select to enable virus and spam scanning for HTTP protocol and decrypted HTTPS protocol.
ScanVirus confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
IntrusionPreventionNo NULL 
Select IPS policy for the rule.
IntrusionPrevention confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
ProxyModeNo OFF 
Select to enable transparent web proxy
ProxyMode confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable', 'true', 'false' are allowed.
skipbadclientsNo Disable 
Select this to skip 'Block Clients with bad reputation'. Based on GeoIPClosed and RBLClosed information you can block clients which have a bad reputation according to their classification.
confines to:
  • Type is 'SCALAR'.
  • Only '0', '1' are allowed.
HTTPSCertificateNo  
Select the HTTPS certificate to be used for scanning.
HTTPSCertificate confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
denied_networksNo  
Select or add the denied networks that should be blocked on your hosted web server.
confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Multiple values are allowed.
backendYes  
Select the web servers which are to be used for the specified path.
confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Multiple values are allowed.
LogTrafficNo Disable 
Enable traffic logging for the policy.
LogTraffic confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
skipform_missingtokenNo Select this to accept unhardened form data. 
Disable
confines to:
  • Type is 'SCALAR'.
  • Only '0', '1' are allowed.
opNo And 
Select the operation among AND or OR for Path and Source.
confines to:
  • Type is 'SCALAR'.
  • Only 'and', 'or', 'AND', 'OR' are allowed.
SandstormNo OFF 
Select to enable sandstorm analysis.
Sandstorm confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
ApplicationControlInternetSchemeNo 
Select internet scheme to apply user based Application Filter Policy for the rule.
ApplicationControlInternetScheme confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
ActionNo Drop 
Specify action for the rule traffic.
Action confines to:
  • Type is 'SCALAR'.
  • Only 'Accept', 'Drop', 'Reject' are allowed.
IPFamilyNo IPv4 
Select the Internet Protocol version.
IPFamily confines to:
  • Type is 'SCALAR'.
  • Only 'IPv4', 'IPv6' are allowed.
NetworkNo  
Select the allowed destination network(s).
Network confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 60.
  • Multiple values are allowed.
CompressionSupportNo Disable 
Select this to not send content in compressed form to client on request.
CompressionSupport confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
stickysession_idNo  
Enter the session ID.
confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
ZoneNo  
Select the source zones to which the rule won't apply.
Zone confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Multiple values are allowed.
skip_threats_filter_categoriesNo Disable 
Select various parameters that you want to skip in section 'Skip these categories', options available are 'Protocol Violations', 'Protocol Anomalies', 'Request Limits', 'HTTP Policy', 'Bad Robots', 'Generic Attacks', 'SQL Injection Attacks', 'XSS Attacks', 'Tight Security', 'Trojans' and 'Outbound'.
confines to:
  • Type is 'ARRAY'.
  • Maximum characters allowed are 30.
  • Only 'application_attacks', 'sql_injection_attacks', 'xss_attacks', 'protocol_enforcement', 'scanner_detection', 'data_leakages' are allowed.
  • Multiple values are allowed.
NameNo  
Specify a name for the Security Policy when inserting after and before policy.
Name confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Character not allowed: Comma (,)
  • Maximum characters allowed are 60.
  • UTF-8 character(s) are allowed.
ServiceNo  
Select Service/Service Groups to which the rule is to be applied.
Service confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 60.
  • Multiple values are allowed.
ScheduleNo NULL 
Select Schedule for the Rule.
Schedule confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.



Operation   Status   Message
Add firewall rule200
Add firewall rule500
Add firewall rule502
Add firewall rule541
Add firewall rule542
Add firewall rule543
Add firewall rule544
Add firewall rule545
Add firewall rule546
Add firewall rule547
Add firewall rule548
Add firewall rule549
Add firewall rule550
Add firewall rule551
Add firewall rule553
Add firewall rule554
Edit firewall rule200
Edit firewall rule202
Edit firewall rule500
Edit firewall rule502
Edit firewall rule541
Edit firewall rule542
Edit firewall rule543
Edit firewall rule544
Edit firewall rule545
Edit firewall rule546
Edit firewall rule547
Edit firewall rule548
Edit firewall rule549
Edit firewall rule550
Edit firewall rule551
Edit firewall rule552
Edit firewall rule553
Edit firewall rule554


© Copyright 2019 Sophos Firewall Limited. All rights reserved.
Sophos Firewall is registered trademarks of Sophos Firewall Limited and Sophos Firewall Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.