Home > GUI > Configuration > IP Firewall Policies
|
IP Firewall Policies
View, add, sort, select, clone, modify, and delete IP (Internet protocol) firewall policy objects.
Navigate using the tab icons. Hover over an icon to see the name of the tab.
Configure > Common Objects > Security > IP Firewall Policies
This window displays a list of all of the IP firewall policies that have been created for your network.
For more information, see IP Firewall Policies, IP Firewall Policy Rules, IP Firewall Rule Services, and User Profile Security Settings.
The table contains the following information:
The best way to create new IP Firewall policies is from inside the configuration workflow. However, you can also add a new policy from this window. To do this, select New, and complete the following steps:
Select the type of traffic to which you want the policy to apply (Inbound Traffic or Outbound Traffic).
Select the Default Action (Permit or Deny).
To add policy rules, select Add above the rules table. In the dialog box, complete the following fields, and then select Save.
: Select a source IP Address, Hostname, Network, or
Anyfrom the drop-down list, or select
Newto add a new IP address, hostname, or network. You can also add an IPv6 address.
Destination IP: Select a destination IP Address, Hostname, Network, or Any from the drop-down list, or select New to add a new IP address, hostname, or network. The IP address you add can be an IPv6 address.
Service: You can select a number of network services and applications to which you want this firewall rule to apply, or you can choose to apply it to all services and applications (Any). For detailed instructions on how to select a network service or application, see IP Firewall Rule Services.
Network Services: Select the check box next to the network services to which you want to apply this network policy. Because the list of services is long, you can quickly find the one you are looking for by entering it in the Filter search field.
Applications: Select the check box next to the applications to which you want to apply this network policy. There are more than 1000 applications in the list, with more being added all the time. You can filter the list to make the applications easier to find, either by application category (such as email) or individual applications by entering the name of the application or category you are looking for and selecting Search. If you searched for an application category, the search will return all applications that apply to that category. If you searched for an individual application, such as Facebook, the search will return that application only.
Action: The action that the device performs when it receives traffic matching the three-part tuple of source address-destination address-service. The device firewall can perform the following actions:
Permit: The device allows traffic to traverse its firewall.
Deny: The device blocks traffic from traversing its firewall.
Drop traffic between stations: Drop traffic between stations if they are both associated with one or more members of the same hive. This setting applies to all types of user traffic—unicast, broadcast, and multicast—that the device receives on an interface in access mode. The access interface can be a wireless interface hosting an SSID or an Ethernet interface in either bridge-access mode or bridge-802.1Q mode.
NAT: (Network Address Translation) Translate the source IP address of a packet permitted to traverse the firewall to that of the mgt0 interface on the device. One possible time to apply NAT is when you are using one of the VPN split-tunnel options (see the GRE and VPN Tunnels section in "User Profile Settings") and you want the device VPN client to forward traffic locally to a subnet that is not directly connected to the mgt0 interface. Because the split tunnel option only enables a device to perform NAT when forwarding traffic to its immediate local subnet, you must add more firewall policy rules to apply NAT to traffic destined for other local subnets.
Logging: Choose one of the following logging options from the drop-down list:
Off: Choose this to disable logging for packets and sessions that match the IP firewall policy rule.
Session Initiation: Choose this option to log session details when a session is created after passing an IP firewall policy lookup.
Session Termination: Choose this option to log session details when a session matching an IP firewall policy is terminated.
Both: Choose this option to log session details after initiating and terminating a session.
Select Save. To add another rule, select New and repeat the previous steps.
The next rule you add is automatically positioned below the first rule in the table. As you continue to add rules to a policy, each subsequent rule is positioned at the bottom of the list. Rules are applied in order from the top down. Use the up and down arrows to reposition rules in the table. Select Save when you are finished.
The redirect feature can support Network Access Control (NAC) applications. NAC Change of Authorization (CoA) messages can redirect bring your own device (BYOD) users to an external web page of your choosing for remediation, such as anti-virus software installation or other updates required to bring the user device into compliance with the resource access policy.
Note
The redirect feature is available for network services, HTTP and HTTPS. However, you cannot enter the redirecting URL address from Common Objects > Security > IP Firewall Policies. You can only enter the redirecting URL address from inside the configuration workflow; specifically, when you create an IP Firewall rule from inside the Security tab of a user profile. For more details, see User Profile Security Settings.You have the option to add a single IP Firewall rule at a time, or to add a fixed set of IP Firewall rules that have basic network services such as DHCP and DNS included by default.
To add a single Firewall rule, select 
, and in the dialog box, select HTTP, HTTPS, or both. Select Save.
Configure the source and destination IP addresses from the drop-down list or create a new one by selecting . You can also enter an IPv6 address.
In the Action drop-down list, select Redirect (under NAT), and then select Save. Note that HTTP or HTTPS must be selected for the Redirect option to appear in the drop-down list.
If basic network services such as DHCP-Server, DHCP-Client, and DNS have not already been added to the IP Firewall Rules table, they can be added. Select to add them. Select Save when you are done.
Enter the URL of the web page in the Redirecting URL field, and then select Save.
To configure an IP Firewall redirect rule, select 
, selectRedirect-Only in the dialog box, and then select the Select button.
Enter the URL of the external web portal to redirect user devices in the Redirecting URL field, and then select Save.
You can modify an IP firewall policy from this window. To do this, select the check box for the policy you want to change, and then select 
. In the window that is displayed, you can change the policy name, description, and add, delete, or rearrange policy rules.
To modify a policy rule, select the check box for the rule, and then select . In the Edit IP Firewall Rule window, make changes, and then select Save.
For more information about how to configure IP firewall policy rules, see "Add a New IP Firewall Policy".
For more information about IP firewall policy rules, see IP Firewall Policy Rules.
You can add a new object or profile by cloning an existing object or profile and then renaming it. Select the check box for the object or profile that you want to clone and then select 
. Enter the new name in the Save As field, and then select Clone.
To delete an IP Firewall policy, select the check box for the policy you want to delete, and then select 
.
Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.