User guide
Chapter 10: Configuring Firewall Settings
114
Configuring Firewall Rules
Introduction You can add firewall rules to block unwanted traffic before they enter the network. You
can manually add firewall rules, or you can enable the appliance to construct rules using
the values you specify. This offers you greater flexibility when configuring firewall
settings.
Important: Firewall rules only work when the appliance is set to inline modes. An
appliance in passive mode works like a traditional sensor and is not in the direct path of
the packets. In simulation mode, packets still pass through the appliance, and it describes
what it would have done to the traffic in protection mode.
Use the Firewall Rules page to configure firewall rules to block attacks based on various
source and target information in the packet.
Firewall rule criteria You can define firewall rules using any combination of the following criteria:
● Adapter
● VLAN range
● Protocol (TCP, UDP, or ICMP)
● Source or target IP address and port ranges
Firewall rule order The appliance reads the list of firewall rules from top to bottom in the order they are listed
and applies corresponding actions. When a connection matches a firewall rule, further
processing for the connection stops, and the appliance ignores any additional firewall
rules you have set.
Example
Use the following statements to block all connections to a network segment except those
destined for a specific port on a specific host:
adapter any IP src addr any dst addr 1.2.3.4 tcp dst port 80
(Action = "ignore")
adapter any IP src addr any dst addr 1.2.3.1-1.2.3.255
(Action = "drop")
The first rule allows all traffic to port 80 on host 1.2.3.4 to pass through to a Web server as
legitimate traffic. All other traffic on that network segment is dropped.
If you reverse the rule order, all traffic to the segment is dropped, even the traffic to the
Web server on 1.2.3.4.