Add User/Network Rule (IPv4)

This page is used to define access rights and protection to the network objects/hosts.

  1. Click Firewall and select IPv4 using the filter switch. Now, click on +Add Firewall Rule and select User/Network Rule.
  2. Enter rule introduction.
    Rule Name
    Specify a name to identify the policy.
    Note Rule Name can only be edited while creating a rule.
    Description
    Specify Policy Description.
    Rule Position
    Specify the position of the rule from the available options.
    Available Options:
    Top Bottom
    Note Rule Position can only be specified while creating a rule.
    Action
    Select action for the rule traffic from the available options:
    • Accept – Allow access (selection appears in green)
    • Drop – Silently discard (selection appears in yellow)
    • Reject – Deny access (selection appears in red)
    Note “ICMP port unreachable” message is sent to the source

    When sending response it might be possible that the response is sent using a different interface than the one on which request was received. This may happen depending on the Routing configuration done on the device.

    For example, If the request is received on the LAN port using a spoofed IP Address (public IP Address or the IP Address not in the LAN zone network) and specific route is not defined, the device will send a response to these hosts using the default route. Hence, response will be sent through the WAN port.

    Figure: About This Rule
  3. Specify Source details.
    Source Zones
    Select the source zone(s) allowed to the user.
    Source Networks and Devices
    Select the source network(s) allowed to the user.

    A new network host can be created directly from this page itself or from Objects > Hosts and Services > IP Host page.

    During Scheduled Time
    Select the schedule allowed to the user.

    A new network host can be created directly from this page itself or from Objects > Policies > Schedule page.

    Figure: Source
  4. Specify Destination & Services details.
    Destination Zones
    Select the destination zone(s) allowed to the user.
    Destination Networks
    Select the destination network(s) allowed to the user.

    A new network host can be created directly from this page itself or from Objects > Assets > IP Host page.

    Services
    Select the services(s) allowed to the user.

    A new network host can be created directly from this page itself or from Objects > Hosts and Services > Services page.

    Figure: Destination
  5. Specify Identity details. Follow this step if you want to configure a User Rule.
    Match known users
    Select to enable rule based on user identity.
    Show Captive Portal to unknown users
    Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can sign in to access the Internet.
    Clear the check box to drop traffic from unknown users.
    User or Groups.(Applicable only when Match known users is Selected)
    Select the user(s) or group(s) from the list of available options.
    Exclude this user activity from data accounting. (Applicable only when Match rule based on user identity is Selected)
    Select to enable/disable user traffic activity from data accounting.

    By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic user data accounting. The traffic allowed through this firewall rule will not be accounted towards data transfer for the user.

    Figure: Identity
  6. Specify Malware Scanning details.
    Scan HTTP
    Enable HTTP traffic scanning.
    Decrypt & Scan HTTPS
    Enable HTTPS traffic decryption and scanning.
    Detect zero-day threats with Sandstorm
    Send files downloaded using HTTP or HTTPS for analysis by Sophos Sandstorm, it protects your network against unknown and unpublished threats (“zero-day” threats).
    Note This option is available when Scan HTTP or Decrypt & scan HTTPS option is enabled.
    Scan FTP
    Enable FTP traffic scanning.
  7. Enter Web malware and content scanning details (available only if Action selected for the traffic is Accept).
    Scan HTTP
    Enable HTTP traffic scanning.
    Decrypt & scan HTTPS
    Enable HTTPS traffic decryption and scanning.
    Block Google QUIC (Quick UDP Internet Connections)
    Disable QUIC protocol (UDP) traffic for Google services.
    Detect zero-day threats with Sophos Sandstorm.
    Send files downloaded using HTTP or HTTPS for analysis by Sophos Sandstorm. Sophos Sandstorm protects your network against unknown and unpublished threats (“zero-day” threats).
    Scan FTP for malware
    Enable FTP traffic scanning.
    Figure: Web malware and content scanning
  8. Specify Advanced details. (Applicable only when Action for the traffic is Accept)

    User Applications

    Intrusion Prevention
    Select IPS Policy for the rule. A new Web Filter Policy can be created directly from this page itself or from Objects > Policies > IPS page.
    Traffic Shaping Policy
    User's Traffic Shaping policy will be applied automatically.
    Web Filter (Applicable only if Match rule based on user identity is 'Disabled')
    Select Web Filter Policy for the rule.

    It controls access to application like IM and P2P, VOIP.

    A new Web Filter Policy can be created directly from this page itself or from Objects > Policies > Web Filter Policy page.
    Apply Web Category based Traffic Shaping Policy (Applicable only if Match rule based on user identity is 'Disabled')

    Click to restrict bandwidth for the URLs categorized under the Web category.

    A three step configuration is required as follows:

    1. Create Traffic Shaping policy from Objects > Policies > Traffic Shaping. Here, specify the Policy Association as 'Web Categories'.
    2. Now, assign the created policy for Web Filter.
    3. Check to enable Apply Web Category based Traffic Shaping Policy.
    Application Control (Applicable only if Match rule based on user identity is 'Disabled')
    Select Application Filter Policy for the rule. A new Application Filter Policy can be created directly from this page itself or from Objects > Policies > Application Group page.
    Apply Application-based Traffic Shaping Policy (Applicable only if Match rule based on user identity is 'Disabled')
    Click torestrict bandwidth for the applications categorized under the Application category.

    A three step configuration is required as follows:

    1. Create Traffic Shaping policy from Objects > Policies > Traffic Shaping. Here, specify the Policy Association as 'Applications'.
    2. Now, assign the created policy for Application Control.
    3. Check to enable Apply Web based Traffic Shaping Policy.

    Synchronized Security

    Minimum Source HB Permitted
    Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
    Block clients with no heartbeat
    Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
    Based on that information, you can restrict a source device's access to certain services and networks.

    Select the option to require the sending of heartbeats.

    Minimum Destination HB Permitted
    Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
    Block request to destination with no heartbeat
    Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
    Based on that information, you can block requests to destinations not sending heartbeat.

    Select the option to require the sending of heartbeats.

    NAT & Routing

    Rewrite source address (Masquerading)
    Selectto re-write the source address or specify a NAT policy.
    Use Gateway Specific Default NAT Policy (Applicable only if Masquerading is selected and Destination Zone is selected as WAN)_

    Click to override the default NAT policy with a gateway specific policy.

    Override default NAT policy for specific Gateway (Applicable only if Use Gateway Specific Default NAT Policy is selected )
    Select to specify gateway and corresponding NAT policy. Multiple Gateways and NAT Policy can be added.
    Use Outbound Address (Applicable when Rewrite source address is selected)
    Select the NAT policy to be applied the list or available NAT policies.

    A new NAT policy can be created directly from this page itself or from Objects > Policies > NAT page.

    Default NAT policy is Masquerade.
    Primary Gateway
    Specify the Primary Gateway. This is applicable only if more than one gateway is defined.
    Backup Gateway
    Specify the Backup Gateway. This is applicable only if more than one gateway is defined.
    DSCP Marking
    Select the DSCP Marking. Select DSCP Marking.

    DSCP (DiffServ Code Point) classifies flow of packets as they enter the local network depending upon QoS. Flow is defined by 5 elements; Source IP Address, Destination IP Address, Source port, Destination port and the transport protocol.

    For available options, refer DSCP Values.
    Figure: Routing
  9. Define logging option for the user application traffic.
    Log Firewall Traffic
    Click to select logging of permitted and denied traffic.
    Figure: Log Traffic
  10. Click Save to save the settings.