Topics on this page
Create a firewall rule
Firewall rules examine the control information in individual packets, and either block or allow them according to the criteria that you define. Firewall rules can be assigned to a policy or directly to a computer.
In addition to creating a firewall rule, you can configure the firewall module, as described in Set up the Workload Security firewall.
To create a new firewall rule, you need to do the following:
- Add a new rule.
- Select the behavior and protocol of the rule.
- Select a Packet Source and Packet Destination.
After a firewall rule has been created, you can configure it:
- Configure rule events and alerts
- Set a schedule for the rule
- View policies and computers to which a rule is assigned
- Assign a context to the rule
Add a new rule
There are three ways to add a new firewall rule on the Policies > Common Objects > Rules > Firewall Rules page:
- Create a new rule by clicking New > New Firewall Rule.
- Import a rule from an XML file by clicking New > Import From File.
- Copy and then modify an existing rule by right-clicking the rule in the Firewall Rules list, and then clicking Duplicate. To edit the new rule, select it, and then click Properties.
Select the behavior and protocol of the rule
-
Enter a Name and Description for the rule.
You should document all firewall rule changes in the Description field of the firewall rule. Make a note of when and why rules were created or deleted for easier firewall maintenance.
-
Select the Action that the rule should perform on packets:
-
The rule can allow traffic to bypass the firewall—A bypass rule allows traffic to pass through the firewall and intrusion prevention engine at the fastest possible rate. Bypass rules are meant for traffic using media intensive protocols where filtering may not be desired or for traffic originating from trusted sources. For an example of how to create and use a bypass rule for trusted sources in a policy, see Allow trusted traffic to bypass the firewall. Bypass rules are unidirectional. Explicit rules are required for each direction of traffic.
You can achieve maximum throughput performance on a bypass rule with the following settings: Priority: Highest; Frame Type: IP; Protocol: TCP, UDP, or other IP protocol; Source and Destination IP and MAC: All, Any; Schedule: None. Note that if the protocol is TCP or UDP and the traffic direction is Incoming, the destination ports must be one or more specified ports (as opposed to Any) and the source ports must be Any. If the protocol is TCP or UDP and the traffic direction is Outgoing, the source ports must be one or more specified ports (as opposed to Any) and the destination ports must be Any.
-
The rule can log only—This action makes entries in the logs but does not process traffic.
- The rule can force allow defined traffic— This allows traffic defined by this rule without excluding any other traffic.
- The rule can deny traffic—This denies traffic defined by this rule.
- The rule can allow traffic—This exclusively allows traffic defined by this rule.
Only one rule action is applied to a packet, and rules of the same priority are applied in the order of precedence.
If you have no allow rules in effect on a computer, all traffic is permitted unless it is specifically blocked by a deny rule. Once you create a single allow rule, all other traffic is blocked unless it meets the requirements of the allow rule. There is one exception to this: ICMPv6 traffic is always permitted unless it is specifically blocked by a deny rule.
-
-
Select the Priority of the rule—This determines the order in which rules are applied. If you have selected force allow, deny, or bypass as your rule action, you can set a priority of 0 (low) to 4 (highest). Setting a priority allows you to combine the actions of rules to achieve a cascading rule effect.
Log only rules can only have a priority of 4, and allow rules can only have a priority of 0.
High priority rules get applied before low priority rules. For example, a port 80 incoming deny rule with a priority of 3 drops a packet before a port 80 incoming force allow rule with a priority of 2 gets applied to it.
For more information, see Firewall rule actions and priorities.
-
Select a Packet Direction—This determines whether this rule applies to incoming (from the network to the computer) or outgoing (from the computer to the network) traffic.
An individual firewall rule only apply to a single direction of traffic. You may need to create incoming and outgoing firewall rules in pairs for specific types of traffic.
-
Select a User List—This determines which User List this rule applies to traffic. The traffic is filtered based on User Identity. You can use a previously created User List.
User Name is part of a controlled release and is in preview. The related content is subject to change.
There is a number of constraints and guidelines to consider when selecting the User List:
-
The protocol must be set to TCP or UDP and the traffic direction must be outgoing.
-
To avoid accidental blocking of critical traffic, you should first select the log only action and check the behavior and user identity match. After that you can change the action to allow or deny.
-
To allow a user, the firewall rule converts outgoing access from permissive to restrictive firewall. Therefore, all users are blocked, except a specific user. For more information, see Restrictive or permissive firewall design.
-
User identities are defined when a new policy is sent to Deep Security Agent. If the user information changes, the configuration must be resent to update the user identities.
-
The User List is supported on Windows and Linux operating systems.
-
-
Select an Ethernet Frame Type—The term frame refers to Ethernet frames, and the available protocols specify the data that the frame carries. If you select Other as the frame type, you need to specify a frame number.
IP includes both IPv4 and IPv6. You can also select IPv4 or IPv6 individually.
On Solaris, Deep Security Agent only examines packets with an IP frame type, and Linux agents only examine packets with IP or ARP frame types. Packets with other frame types are allowed through.
If you select the IP frame type, you need to select a transport Protocol. If you select Other as the protocol, you also need to enter the protocol number.
Select a Packet Source and Packet Destination
Select a combination of IP and MAC addresses, and if available for the frame type, Port and Specific Flags for the Packet Source and Packet Destination.
You can use a previously created IP, MAC, or port list.
The following table provides details on the support for IP-based frame types.
IP | MAC | Port | Flags | |
Any | ✔ | ✔ | ||
ICMP | ✔ | ✔ | ✔ | |
ICMPV6 | ✔ | ✔ | ✔ | |
IGMP | ✔ | ✔ | ||
GGP | ✔ | ✔ | ||
TCP | ✔ | ✔ | ✔ | ✔ |
PUP | ✔ | ✔ | ||
UDP | ✔ | ✔ | ✔ | |
IDP |
✔ | ✔ | ||
ND | ✔ | ✔ | ||
RAW | ✔ | ✔ | ||
TCP+UDP | ✔ | ✔ | ✔ | ✔ |
ARP and REVARP frame types only support using MAC addresses as packet sources and destinations.
You can select Any Flags or individually select the following flags:
- URG
- ACK
- PSH
- RST
- SYN
- FIN
Configure rule events and alerts
When a firewall rule is triggered, it logs an event in Workload Security and records the packet data.
Rules using the Allow, Force Allow, and Bypass actions do not log any events.
Alerts
You can configure rules to also trigger an alert if they log an event. To do so, open the properties for a rule, click on Options, and then select Alert when this rule logs an event.
Only firewall rules with an action set to Deny or Log Only can be configured to trigger an alert.
Set a schedule for the rule
Select whether the firewall rule should only be active during a scheduled time.
For more information on how to do so, see Define a schedule that you can apply to rules.
Assign a context to the rule
Rule contexts allow you to set firewall rules uniquely for different network environments. Contexts are commonly used to allow for different rules to be in effect for laptops when they are on and off-site.
For more information on how to create a context, see Define contexts for use in policies.
For an example of a policy that implements firewall rules using contexts, look at the properties of the Windows Mobile Laptop policy.
View policies and computers to which a rule is assigned
You can see which policies and computers are assigned to a firewall rule on the Assigned To tab. Click on a policy or computer in the list to see their properties.
Export a rule
You can export all firewall rules to a .csv
or .xml
file by clicking Export and selecting the corresponding export action from the list. You can also export specific rules by first selecting them, clicking Export and then selecting the corresponding export action from the list.
Delete a rule
To delete a rule, right-click the rule in the Firewall Rules list, click Delete, and then click OK.
Firewall Rules that are assigned to one or more computers or that are part of a policy cannot be deleted.