Add a firewall rule

Create firewall rules to allow or disallow traffic flow between zones and networks and apply security policies and actions.

Create rules for IPv4 or IPv6 networks. Specify the matching criteria, such as source, destination, services, and users during a time period. Select the policies and the scanning action to apply. Select the action to enforce on Synchronized Security endpoints and servers.
  1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 protocol and select Add firewall rule. Select New firewall rule.
  2. Rules are turned on by default. You can turn off a rule if you don't want to apply its matching criteria.
  3. Enter the general details.
    Rule name Enter a name.
    Rule position Specify the position of the rule in the rule table:
    • Top
    • Bottom

    XG Firewall evaluates rules from the top down until it finds a match. Once it finds a match, it doesn’t evaluate subsequent rules. You can change the rule sequence in the rule table.

    Rule group

    Select a rule group or create one. The firewall rule will belong to this group.

    If you select Automatic, the firewall rule is added to an existing group based on first match with rule type and source-destination zones.

    Action Select an action:

    Accept: Allows traffic

    Drop: Drops traffic without notification

    Reject: Drops traffic and sends an ICMP port unreachable message to the source.

    Protect with web server protection: Select this and specify the web server protection (WAF) details to control web application traffic.

    Preconfigured template

    If you’ve selected web server protection, select a template to apply:

    None: Specify the web server protection details.

    Exchange Autodiscover

    Exchange Outlook Anywhere

    Exchange General

    Microsoft Lync

    Microsoft Remote Desktop Gateway 2008 and R2

    Microsoft Remote Desktop Web 2008 and R2

    Microsoft Sharepoint 2010 and 2013

    Log firewall traffic

    Select to log all traffic that matches this rule. By default, logs are stored on XG Firewall.

    To add a syslog server and save logs on the server, go to System services > Log settings.

    Note Sessions are logged when a connection is terminated upon receiving a connection "Destroy" event. Connections that are terminated without a "Destroy" event being seen by XG Firewall, such as during the loss of internet connection, aren't logged.
    Note Review rule positions after a firewall rule is created automatically or manually to make sure the intended rule matches traffic criteria.

    Automatically created firewall rules, such as those for email MTA, IPsec connections, and hotspots, are placed at the top of the firewall rule list and are evaluated first. Later, if you manually create a firewall rule with Rule position set to Top or another automatically created rule, these are placed at the top of the rule table, changing rule positions. When matching criteria overlap for the new and existing rules, policies and actions of the new rule will apply, leading to unplanned outcomes, such as failure in mail delivery or tunnels not being established.

  4. Select the source matching criteria.

    Source zones

    Select the zones from which traffic originates.

    Source networks and devices

    Select the source networks and devices or create new ones.

    During scheduled time

    Select a schedule or create one. XG Firewall matches the rule criteria during the time period and day of the week that you select.

  5. Enter the destination and service matching criteria.

    Destination zones

    Select the destination zones in which the traffic terminates.

    Destination networks

    Select the destination networks or create new ones.


    Select the services or create a new service. Services are a combination of protocols and ports.

  6. Specify the user identity criteria.

    Match known users

    Select to add user identity as a matching criterion.

    Use web authentication for unknown users

    Select to authenticate unknown users who try to access the web. These are users who’ve signed in to their endpoint devices, but have not been authenticated.

    To specify web authentication settings, go to Authentication > Web authentication. You can specify AD SSO (Kerberos and NTLM) or captive portal authentication.

    To turn on access to AD SSO and captive portal from the required zones, go to Administration > Device access.

    Users or groups

    Select the users and groups. The rule will then apply only to traffic originating from the specified users and groups.

    Exclude this user activity from data accounting

    Select to exclude the specified users’ traffic from data accounting.

    By default, XG Firewall adds traffic that matches the rule criteria to individual users’ data transfer.

    Use this if you don’t want to set a data usage limit on the specified users.

  7. Select Add exclusion to add exclusions to the rule. XG Firewall won’t match the specified criteria for the following objects:
    • Source zones
    • Source networks and devices
    • Destination zones
    • Destination networks
    • Services
  8. Select Create linked NAT rule if you want to enforce address translation for this rule’s source networks and devices.

    Linked NAT rules are source NAT rules and are listed in the NAT rule table. You can identify them by the firewall rule ID and name.

    You can change only the translated source and the outbound interface-specific source translation in a linked NAT rule. For the rest, it applies the matching criteria of the firewall rule that it’s linked to, including users and groups.
    CAUTION Linked NAT rules apply only to the traffic defined by the firewall rule to which they are linked. However, if the criteria of a NAT rule placed above the linked NAT rule matches the traffic, the former rule is applied. XG Firewall doesn’t evaluate subsequent rules once it finds a match.
  9. Select Web filtering to specify the settings.

    Select the web policy, malware and content scanning, and the filtering settings.

    Malware and content scanning: The settings specified in Web > General settings apply.

    Filtering: Select the settings to filter web traffic over common web ports. If you want to select web proxy filtering, you must first select a web policy or malware and content scanning for HTTP and decrypted HTTPS.

    XG Firewall identifies micro apps, such as Dropbox and Gmail attachment upload and download, based on their URLs. When you specify an application filter policy for these micro apps in the firewall rule and set the matching SSL/TLS inspection rule to decrypt, the DPI engine identifies micro apps based on the decrypted URL. This applies even if you set Web policy to None and turn off malware scanning and advanced threat protection. XG Firewall takes the action specified in the application filter policy.

    If you set up web proxy filtering on bridge interfaces without an IP address, the traffic is dropped.

    Web policy

    Select a web policy or create one.

    Apply web category-based traffic shaping

    Select to apply the bandwidth settings specified for the web categories within the policy.

    Block QUIC protocol

    Blocks QUIC protocol by dropping outbound UDP packets to ports 80 and 443 for traffic that matches the rule's criteria. It's selected by default when you select a web policy or turn on scanning for HTTP and decrypted HTTPS.

    Chrome uses the protocol by default to establish sessions with Google services. QUIC traffic can't be scanned and bypasses web filtering.

    Scan HTTP and decrypted HTTPS

    Select to scan web traffic for malware.

    This option doesn't turn on HTTPS decryption. To ensure HTTPS traffic is decrypted for scanning, use SSL/TLS inspection rules in DPI mode or select Decrypt HTTPS during web proxy filtering.

    Detect zero-day threats with Sandstorm

    If you selected scanning for HTTP and decrypted HTTPS, select to send files downloaded over HTTP or HTTPS for Sandstorm analysis. Sandstorm protects your network from zero-day (unknown and unpublished) threats.

    Scan FTP for malware

    Select to scan FTP traffic for malware.

    Use web proxy instead of DPI engine Select to use the web proxy to filter traffic only on ports 80 (HTTP) and 443 (HTTPS). The DPI engine continues to filter HTTP and SSL/TLS traffic on other ports.

    You require proxy mode to enforce SafeSearch and YouTube restrictions, to restrict sign-ins to Google Apps (example: Gmail, Drive) to certain domain accounts, to turn on pharming protection and web content caching, and to connect to a parent proxy.

    To use the DPI engine for web filtering, clear the check box. The DPI engine filters HTTP and SSL/TLS traffic on all ports. With this setting, XG Firewall uses direct mode. It applies SSL/TLS inspection rules to intercept, decrypt, and inspect encrypted traffic based on the rule-matching criteria and decryption profiles.

    To make sure that SSL/TLS inspection rules are turned on and to create SSL/TLS inspection rules, go to Rules and policies > SSL/TLS inspection rules.

    Decrypt HTTPS during web proxy filtering

    Turning on this option also decrypts HTTPS traffic in direct proxy mode.

    Tip You can create a firewall rule with web proxy filtering for pre-configured FQDN host groups to enforce Safe Search, YouTube restrictions, and to restrict sign-ins to G Suite applications. To create this firewall rule, see the learning content linked to this page.
    Note You can use direct proxy mode even if you don't select Use web proxy instead of DPI engine. To use direct proxy mode, clients must be configured to use XG Firewall in their proxy settings. For information about using XG Firewall as a direct web proxy, go to Web proxy configuration in Web > General settings.
    Note XG Firewall skips decryption, malware and content scanning, Sandstorm analysis, and policy checks for the corresponding exceptions you specify in Web > Exceptions. Exceptions apply both to DPI and proxy modes.
  10. Select Configure Synchronized Security Heartbeat to specify the Heartbeat settings. Specifying these controls allows you to protect endpoint devices and servers in your network through XG Firewall.

    Endpoint devices and services configured with Synchronized Security send a heartbeat, which is information about their health status to XG Firewall at pre-defined intervals.

    Minimum source HB permitted

    Select the minimum health status that a device from which traffic originates must maintain. If a device doesn’t send the minimum heartbeat, its user won’t receive the access defined in this rule.

    Green: Only endpoints sending this health status have access.

    Yellow: Only endpoints sending a green or yellow health status have access.

    No restriction: All endpoints have access, including those that aren’t sending a heartbeat or are sending a red status.

    Block clients with no heartbeat

    Select to block the devices that don’t send a heartbeat.

    Minimum destination HB permitted

    Select the minimum health status that a device, receiving traffic must maintain. If a device doesn’t send the minimum heartbeat, its user won’t receive the access defined in this rule.

    Green: Only endpoints sending this health status have access.

    Yellow: Only endpoints sending a green or yellow health status have access.

    No restriction: All endpoints have access, including those that aren’t sending a heartbeat or are sending a red status.

    You can apply destination heartbeat control to devices in the internal network, not in the WAN zone.

    Block request to destination with no heartbeat

    Select to block the devices that don’t send a heartbeat.

  11. Select the settings for the other security features. You can select or create new application control, IPS, and traffic shaping policies.
    Identify and control applications (App control)

    Select an application filter policy.

    Apply application-based traffic shaping policy

    Select to apply the bandwidth settings specified for the applications within the application category.

    Detect and prevent exploits (IPS)

    Select an IPS policy.

    Shape traffic

    Select a traffic shaping policy to apply a bandwidth guarantee or limit.

    If you’ve selected Match known users, the specified users’ traffic shaping policy is applied. In the absence of a user policy, the group policy is applied.

    DSCP marking

    Select the level of DSCP marking to mark packets for priority. For details, see DSCP Value.

    Expedited forwarding (EF): Priority queuing that ensures low delay and packet loss. Suitable for real-time services.

    Assured forwarding (AF): Assured delivery, but with packet drop if congestion occurs. Assigns higher priority than best-effort.

    Class selector (CS): Backward compatibility with network devices that use IP precedence in type of service.

  12. To scan email content, select the protocols IMAP, IMAPS, POP3, POP3S, SMTP, and SMTPS.

    If you select a protocol here and haven’t added its standard ports to Services in this rule, select Add ports. The standard ports for the selected protocols are added to services.

  13. Click Save.