Firewall Policy

This chapter summarizes the firewall policy commands in the CLI command structure.

A firewall protects a network from attacks and unauthorized access from outside the network. Simultaneously, it allows authorized users to access required resources. Firewalls work on multiple levels. Some work at layers 1, 2 and 3 to inspect each packet. The packet is either passed, dropped or rejected based on rules configured on the firewall.

Firewalls use application layer filtering to enforce compliance. These firewalls can understand applications and protocols and can detect if an unauthorized protocol is being used, or an authorized protocol is being abused in any malicious way.

The third set of firewalls, ‘Stateful Firewalls‘, consider the placement of individual packets within each packet in the series of packets being transmitted. If there is a packet that does not fit into the sequence, it is automatically identified and dropped.

Use (config) instance to configure firewall policy commands. To navigate to the config-fw-policy instance, use the following commands:

<DEVICE>(config)#firewall-policy <POLICY-NAME>
nx9500-6C8809(config)#firewall-policy test
Firewall policy Mode commands:
  acl-logging                    Log on flow creating traffic
  alg                            Enable ALG
  clamp                          Clamp value
  dhcp-offer-convert             Enable conversion of broadcast dhcp offers to
  dns-snoop                      DNS Snooping
  firewall                       Configure global firewall
  flow                           Firewall flow
  ip                             Internet Protocol (IP)
  ip-mac                         Action based on ip-mac table
  ipv6                           Internet Protocol version 6 (IPv6)
  ipv6-mac                       Action based on ipv6-mac table
  logging                        Firewall enhanced logging
  no                             Negate a command or set its defaults
  proxy-arp                      Enable generation of ARP responses on behalf
                                 of another device
  proxy-nd                       Enable generation of ND responses (for IPv6)
                                 on behalf of another device
  stateful-packet-inspection-l2  Enable stateful packet inspection in layer2
  storm-control                  Storm-control
  virtual-defragmentation        Enable virtual defragmentation for IPv4 and
                                 IPv6 packets (recommended for proper
                                 functioning of firewall)

  clrscr                         Clears the display screen
  commit                         Commit all changes made in this session
  do                             Run commands from Exec mode
  end                            End current mode and change to EXEC mode
  exit                           End current mode and down to previous mode
  help                           Description of the interactive help system
  revert                         Revert changes
  service                        Service Commands
  show                           Show running system information
  write                          Write running configuration to memory or