Home > GUI > Configuration > IP Firewall Policy Rules
Logo

IP Firewall Policy Rules

IP Firewall Policy Rules

View, add, filter, sort, select, modify, clone, enable and disable, an IP (Internet protocol) firewall rule in this window. Select network services and application for the IP firewall policy rule.

Navigation

Navigate using the tab icons. Hover over an icon to see the name of the tab.

Configure > Common Objects > Security > IP Firewall Policies > policy_name  > rule_name

About IP Firewall Policy Rules

When you add a new IP firewall policy, you also add policy rules that determine how the device manages traffic based on source and destination IP addresses and services. See IP Firewall Policies, IP Firewall Policies, and IP Firewall Rule Services. and User Profile Security Settings.

Add IP Firewall Policy Rules

To add a rule to an IP firewall policy, enter the following information and then select Save:

Service: The services that you apply to the rule determine the type of traffic to which the policy applies. Select one or more network services or applications. Choose either Network Services or Application Services (you cannot select both). You can add up to 100 services to an IP firewall policy rule.

Network Services

If you choose Network Services, you can search for the services by typing part or all of a service name in the Filter field.

Select the check boxes for one or more services (up to a maximum of 100) that you want to map to an IP firewall policy and then select Save.

Note

Note

Selecting a service name causes ExtremeCloud IQ to display a brief definition. To select the service itself, select to the right of its name.

Application Services

If you choose Application Services, select either Application Name, or Application Group. You can type part or all of an application or application group name in the Filter field, and then selecting Search to see a list of available applications or groups.

Select the check boxes for one or more applications or groups (up to a maximum of 100) that you want to map to an IP firewall rule, and then select Save.

Source IP: This is the address from which traffic originates. Select a source IP address or resolvable domain name from the drop-down list, or select to add a new IP address, host name, or network. You can also add an IPv6 address.

Destination IP: This is the address to which traffic is sent. Select a destination IP address or resolvable domain name from the drop-down. SHIFT-select to select multiple contiguous destinations and CTRL-select to select multiple noncontiguous destinations. If you do not see the address or domain you want, select New, and define it (see IP Objects and Host Names). You can also enter an IPv6 address.

Note

Note

If the wireless clients receive their network settings dynamically, be careful not to block DHCP and DNS services to the local DHCP and DNS servers. Services are blocked when the action setting in the Firewall rule is set to Deny. Also, to configure a DNS server correctly to support IPv6, both the source IP and the destination IP must support IPv6. For more information, see IP Firewall Policy Rules.

Service: The type of traffic to which the policy applies. Select one or more services. SHIFT-select to select multiple contiguous services and CTRL-select to select multiple non-contiguous items. If you do not see an item that you want, select , and define it.

Action: The action that the device performs when it receives traffic matching the three-part tuple of source address-destination address-service. The device firewall can perform the following actions:

Note

Note

The firewall policy for switches only allows you to select either Permit or Deny.

Permit: The device allows traffic to traverse its firewall.

Deny: The device blocks traffic from traversing its firewall.

Drop traffic between stations: Drop traffic between stations if they are both associated with one or more members of the same hive. This setting applies to all types of user traffic—unicast, broadcast, and multicast—that the device receives on an interface in access mode. The access interface can be a wireless interface hosting an SSID or an Ethernet interface in either bridge-access mode or bridge-802.1Q mode.

NAT: (Network Address Translation) Translate the source IP address of a packet permitted to traverse the firewall to that of the mgt0 interface on the device. One possible time to apply NAT is when you are using one of the VPN split-tunnel options (see the GRE and VPN Tunnels section in GRE Traffic Tunneling) and you want the device VPN client to forward traffic locally to a subnet that is not directly connected to the mgt0 interface. Because the split tunnel option only enables a device to perform NAT when forwarding traffic to its immediate local subnet, you must add more firewall policy rules to apply NAT to traffic destined for other local subnets.

Redirect and Redirect-Only: The redirect feature is available for HTTP and HTTPS services. You have the option to add a single IP Firewall rule at a time, or add a fixed set of IP Firewall rules that by default include basic network services such as DHCP and DNS.

Note

Note

The redirect feature is available for network services, HTTP and HTTPS. However, you cannot enter the redirecting URL address from the Common Objects > Security > IP Firewall Policies window. You can only enter the redirecting URL address from inside the configuration workflow; specifically, when you create an IP Firewall rule from inside the Security tab of a user profile. For more details, see User Profile Security Settings.

Add a Single Redirect Action Firewall Rule

  1. To add a single Firewall rule, select , and in the dialog box, you can select HTTP, HTTPS, or both. Select Save after you are done.
  2. Configure the source and destination IP addresses from the drop-down list or create a new one by selecting . You can also enter an IPv6 address.
  3. In the Action drop-down list, select Redirect (under NAT), and then select Save.
  4. If basic network services such as DHCP, DNS Client and DNS Server have not already been added to the IP Firewall Rules table, they can be added. Select to add them. Select Save.
  5. Enter the URL in the Redirecting URL field, and then select Save.

Add a Redirect-All Action with a Fixed Set of Firewall Rules Including Basic Network Services

  1. To configure an IP Firewall redirect rule, select , selectRedirect-Only in the dialog box, and then select the Select button.
  2. Enter the URL of the external web portal to redirect user devices in the Redirecting URL field, and then select Save.

In addition to HTTP and HTTPS services, basic network services are also included in this fixed set of rules using Redirect-Only. Note that you cannot modify this fixed set of rules. If you want to modify each rule, you must use the procedure described above in Adding a Single Redirect Action Firewall Rule.

Logging: Choose one of the following logging options from the drop-down list in the Firewall Policy for APs section:

Off: Choose this to disable logging for packets and sessions that match the IP firewall policy rule.

Session Initiation: Choose this option to log session details when a session is created after passing an IP firewall policy lookup.

Session Termination: Choose this option to log session details when a session matching an IP firewall policy is terminated.

Both: Choose this option to log session details after initiating and terminating a session.

Dropped Packets: Choose this option to log packets that the device drops because the firewall policy rule denies them.

  1. To add another rule, select , and repeat the previous step.

When you are finished adding rules, remember to select Save.

Note

Note

After you add the first rule, the next rule you add is automatically positioned below it. As you continue to add rules to a policy, each subsequent rule is positioned at the bottom of the list. You can rearrange the position of rules in the list to determine the order in which they are applied by the device.

Move IP Firewall Policy Rules

The position of a rule in a firewall policy rules list is important because the device applies rules in order starting with the one at the top of the list. If more than one rule in a policy matches the source or destination or service, the device applies the rule that is higher in the policy rule list first because that is the first match it finds. For example, if the IP address of a host in rule 2 is part of a subnet specified in rule 1, the placement of rule 2 below rule 1 is problematic. Because rule 1 applies to a subnet that includes the host address used in rule 2, the second rule will never be applied. To resolve this, you can rearrange the rules in the policy list.

To move a rule up or down in the list, use the Up or Down arrows in the Order column. When rearranging rules, keep in mind that the device checks rules in order from the top of the list until it finds a match.

Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.