| | Add firewall rule / Edit firewall rule |
| Create or edit firewall rule. |
| Sample Configuration | |
|---|---|
| Parameter | Mandatory | Default | Description |
|---|---|---|---|
| Name | Yes | Specify a name to identify the Security Policy. Name confines to:
| |
| Description | No | Specify description for the Security Policy. | |
| path | Yes | Enter the path for which you want to create the site path route. Example: /products/. confines to:
| |
| HTTPS | Yes | Disable | Click to enable or disable scanning of HTTPS traffic. HTTPS confines to:
|
| HostedAddress | Yes | Select the interface of the hosted server to which the rule applies. It is the public IP address through which Internet users access the internal server/host. HostedAddress confines to:
| |
| auth_profile | No | Select the Authentication Policy. Select Create new to create a new Authentication Policy. confines to:
| |
| Authentication | No | Select the Authentication Policy. Select Create new to create a new Authentication Policy. Authentication confines to:
| |
| skipurl | No | Disable | Select this to skip 'Static URL Hardening'. Static URL Hardening protects against URL rewriting. confines to:
|
| skipform | No | Disable | Click to skip 'Form Hardening'. Form hardening protects against web form rewriting. confines to:
|
| PassHostHeader | No | Disable | When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server. PassHostHeader confines to:
|
| skipav | No | Disable | Click this to skip 'Anti-Virus'. Anti-Virus is used to protect a web server against viruses. confines to:
|
| ApplicationBaseQoSPolicy | No | Select to limit the bandwidth for the applications categorized under the Application Category. ApplicationBaseQoSPolicy confines to:
| |
| skiphtmlrewrite | No | Disable | If selected, no data matching the defined exception settings will be modified by the WAF engine. confines to:
|
| RedirectHTTP | No | Disable | Click to redirect HTTP requests. RedirectHTTP confines to:
|
| DSCPMarking | No | NULL | Select DSCP Marking to classify flow of packets based on Traffic Shaping policy. DSCPMarking confines to:
|
| SourceSecurityHeartbeat | No | OFF | Enable/Disable to require the sending of heartbeats. SourceSecurityHeartbeat confines to:
|
| ApplicationControl | No | NULL | Select Application Filter Policy for the rule. ApplicationControl confines to:
|
| Member | No | Select the user(s) or group(s) from the list of available options. Member confines to:
| |
| Network | No | Select the source networks to which the rule won't apply. Network confines to:
| |
| DecryptHTTPS | No | OFF | Select to decrypt traffic with HTTPS protocol. DecryptHTTPS confines to:
|
| migratedpolicyroute | No | Specify 'migratedpolicyroute' confines to:
| |
| SkipLocalDestined | No | Select if you don't want to apply the firewall rule when appliance IP address is the destination. SkipLocalDestined confines to:
| |
| RewriteCookies | No | Enable | Select this option to have the device rewrite cookies of the returned webpages. RewriteCookies confines to:
|
| stickysession_status | No | Select this option to ensure that each session will be bound to one web server. confines to:
| |
| Network | No | Specify Exception Host/Network Address to which rule is not to be applied. Network confines to:
| |
| Zone | No | Select the destination zones to which the rule won't apply. Zone confines to:
| |
| WebCategoryBaseQoSPolicy | No | Select to limit bandwidth for the URLs categorized under the Web category. WebCategoryBaseQoSPolicy confines to:
| |
| skipcookie | No | Disable | Select this to 'Skip Cookie Signing'. Cookie signing protects a web server against manipulated cookies. confines to:
|
| websocket_passthrough | No | Select this option to enable Websocket passthrough. confines to:
| |
| ScanPOP3 | No | OFF | Enable/Disable scanning of POP3 traffic. ScanPOP3 confines to:
|
| Service | No | Select the services or service groups to which the rule won't apply. Service confines to:
| |
| BlockQuickQuic | No | OFF | Ensure Google websites user HTTP/s instead of QUICK QUIC BlockQuickQuic confines to:
|
| MinimumSourceHBPermitted | No | NoRestriction | Select a minimum health status that a device must have to conform to this policy. MinimumSourceHBPermitted confines to:
|
| ShowCaptivePortal | No | OFF | Select to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet. ShowCaptivePortal confines to:
|
| Network | No | Select the destination networks to which the rule won't apply. Network confines to:
| |
| ScanSMTPS | No | OFF | Enable/Disable scanning of SMTPS traffic. ScanSMTPS confines to:
|
| Network | No | Select the allowed source network(s). Network confines to:
| |
| DestSecurityHeartbeat | No | OFF | Enable/Disable to require the sending of heartbeats. DestSecurityHeartbeat confines to:
|
| ScanIMAP | No | OFF | Enable/Disable scanning of IMAP traffic. ScanIMAP confines to:
|
| ScanFTP | No | OFF | Enable/Disable scanning of FTP traffic. ScanFTP confines to:
|
| ScanSMTP | No | OFF | Enable/Disable scanning of SMTP traffic. ScanSMTP confines to:
|
| PolicyType | Yes | Select the type of policy. PolicyType confines to:
| |
| Zone | No | Select the source zone(s) allowed to the user. Zone confines to:
| |
| Status | No | ON | Enable/Disable the policy. Status confines to:
|
| RewriteHTML | No | Disable | Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. RewriteHTML confines to:
|
| ScanPOP3S | No | OFF | Enable/Disable scanning of POP3S traffic. ScanPOP3S confines to:
|
| MinimumDestinationHBPermitted | No | NoRestriction | Select a minimum health status that a device must have to conform to this policy. MinimumDestinationHBPermitted confines to:
|
| ScanIMAPS | No | OFF | Enable/Disable scanning of IMAPS traffic. ScanIMAPS confines to:
|
| WebFilterInternetScheme | No | 0 | Select internet scheme to apply user based Web Filter Policy for the rule. WebFilterInternetScheme confines to:
|
| hot_standby | No | Select this option if you want to send all requests to the first selected web server, and use the other web servers only as a backup. confines to:
| |
| Section | No | Section to which the rule belongs. Section confines to:
| |
| source | No | Specify the source networks where the client request comes from and which are to be exempted from the selected check(s). confines to:
| |
| WebFilter | No | NULL | Select Web Filter Policy for the rule. WebFilter confines to:
|
| Zone | No | Select the destination zone(s) for the Rule. Zone confines to:
| |
| TrafficShappingPolicy/TrafficShapingPolicy | No | NULL | Select Traffic Shaping policy for the rule. TrafficShappingPolicy/TrafficShapingPolicy confines to:
|
| block_unknown_country | No | Select this option if you want to block unknown country. confines to:
| |
| MatchIdentity | No | OFF | Enable to check whether the specified user/user group from the selected zone is allowed to access the selected service or not. MatchIdentity confines to:
|
| blocked_countries | No | Select or add the ountries that should be blocked on your hosted web server. confines to:
| |
| Domains | Yes | Enter the domains the web server is responsible for as FQDN. Domains confines to:
According to the selected HTTPS certificate, some domains may be preselected. You can edit or delete these domains or add new ones.. | |
| ListenPort | Yes | 80 if 'HTTPS' is disabled or 443 is 'HTTPS' is enabled. | Enter a port number on which the hosted web server can be reached externally, over the Internet. ListenPort confines to:
|
| DataAccounting | No | OFF | Select to exclude user's network traffic from data accounting. DataAccounting confines to:
This option is available only if the parameter 'Match rule-based on user identity' is enabled.. |
| ScanVirus | No | OFF | Select to enable virus and spam scanning for HTTP protocol and decrypted HTTPS protocol. ScanVirus confines to:
|
| Position | Yes | Rule position in the firewall rule list. Position confines to:
| |
| IntrusionPrevention | No | NULL | Select IPS policy for the rule. IntrusionPrevention confines to:
|
| ProxyMode | No | OFF | Select to enable transparent web proxy ProxyMode confines to:
|
| skipbadclients | No | Disable | Select this to skip 'Block Clients with bad reputation'. Based on GeoIPClosed and RBLClosed information you can block clients which have a bad reputation according to their classification. confines to:
|
| HTTPSCertificate | No | Select the HTTPS certificate to be used for scanning. HTTPSCertificate confines to:
| |
| denied_networks | No | Select or add the denied networks that should be blocked on your hosted web server. confines to:
| |
| backend | Yes | Select the web servers which are to be used for the specified path. confines to:
| |
| LogTraffic | No | Disable | Enable traffic logging for the policy. LogTraffic confines to:
|
| skipform_missingtoken | No | Select this to accept unhardened form data. | Disable confines to:
|
| op | No | And | Select the operation among AND or OR for Path and Source. confines to:
|
| ZeroDayProtection | No | OFF | Select to turn zero-day protection on. ZeroDayProtection confines to:
|
| ApplicationControlInternetScheme | No | 0 | Select internet scheme to apply user based Application Filter Policy for the rule. ApplicationControlInternetScheme confines to:
|
| Action | No | Drop | Specify action for the rule traffic. Action confines to:
|
| IPFamily | No | IPv4 | Select the Internet Protocol version. IPFamily confines to:
|
| Network | No | Select the allowed destination network(s). Network confines to:
| |
| CompressionSupport | No | Disable | Select this to not send content in compressed form to client on request. CompressionSupport confines to:
|
| stickysession_id | No | Enter the session ID. confines to:
| |
| Zone | No | Select the source zones to which the rule won't apply. Zone confines to:
| |
| skip_threats_filter_categories | No | Disable | Select various parameters that you want to skip in section 'Skip these categories', options available are 'Protocol Violations', 'Protocol Anomalies', 'Request Limits', 'HTTP Policy', 'Bad Robots', 'Generic Attacks', 'SQL Injection Attacks', 'XSS Attacks', 'Tight Security', 'Trojans' and 'Outbound'. confines to:
|
| Name | No | Specify a name for the Security Policy when inserting after and before policy. Name confines to:
| |
| Service | No | Select Service/Service Groups to which the rule is to be applied. Service confines to:
| |
| Schedule | No | NULL | Select Schedule for the Rule. Schedule confines to:
|
| Operation | Status | Message |
|---|---|---|
| Add firewall rule | 200 | |
| Add firewall rule | 500 | |
| Add firewall rule | 502 | |
| Add firewall rule | 541 | |
| Add firewall rule | 542 | |
| Add firewall rule | 543 | |
| Add firewall rule | 544 | |
| Add firewall rule | 545 | |
| Add firewall rule | 546 | |
| Add firewall rule | 547 | |
| Add firewall rule | 548 | |
| Add firewall rule | 549 | |
| Add firewall rule | 550 | |
| Add firewall rule | 551 | |
| Add firewall rule | 553 | |
| Add firewall rule | 554 | |
| Add firewall rule | 596 | |
| Edit firewall rule | 200 | |
| Edit firewall rule | 202 | |
| Edit firewall rule | 500 | |
| Edit firewall rule | 502 | |
| Edit firewall rule | 541 | |
| Edit firewall rule | 542 | |
| Edit firewall rule | 543 | |
| Edit firewall rule | 544 | |
| Edit firewall rule | 545 | |
| Edit firewall rule | 546 | |
| Edit firewall rule | 547 | |
| Edit firewall rule | 548 | |
| Edit firewall rule | 549 | |
| Edit firewall rule | 550 | |
| Edit firewall rule | 551 | |
| Edit firewall rule | 552 | |
| Edit firewall rule | 553 | |
| Edit firewall rule | 554 | |
| Edit firewall rule | 596 |