Specifications
Add an IP rule called allow_ping_outbound to allow ICMP pings to pass:
Device:/> add IPRule name=allow_ping_outbound
Action=NAT
SourceInterface=G3
SourceNetwork=InterfaceAddresses/G3_net
DestinationInterface=G2
DestinationNetwork=all-nets
Service=ping-outbound
The IP rule again has the NAT action and this is necessary if the protected local hosts have private
IPv4 addresses. The ICMP requests will be sent out from the Clavister Security Gateway with the
IP address of the interface connected to the ISP as the source interface. Responding hosts will
send back ICMP responses to this single IP and cOS Core will then forward the response to the
correct private IP address.
Adding a Drop All Rule
Scanning of the IP rule set is done in a top-down fashion. If no matching IP rule is found for a
new connection then the default rule is triggered. This rule is hidden and cannot be changed and
its action is to drop all such traffic as well as generate a log message for the drop.
In order to gain control over the logging of dropped traffic, it is recommended to create a drop
all rule as the last rule in the main IP rule set. This rule has an Action of Drop with the source and
destination network set to all-nets and the source and destination interface set to any.
The service for this rule must also be specified and this should be set to all_services in order to
capture all types of traffic. The command for creating this rule is:
Device:/main> add IPRule name=drop_all
Action=Drop
SourceInterface=any
SourceNetwork=any
DestinationInterface=any
DestinationNetwork=all-nets
Service=all_services
A valid license should now be installed to remove the cOS Core 2 hour demo mode limitation.
Doing this is described in Section 4.5, “License Installation Methods”.
Chapter 4: cOS Core Configuration
59