Setting an IPv4 or IPv6 Firewall Policy

Before defining a firewall configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective.

To add or edit an IP based Firewall Rule policy:

  1. Select Configuration > Security.
  2. Select IPv4 ACL or IPv6 ACL to display existing IP forewall policies.
    Click to expand in new window
    IP Firewall Policy Screen
  3. Select Add to create a new IPv4 or IPv6 firewall rule.
    Select an existing policy and click Edit to modify the attributes of that policy‘s configuration.
  4. Select the added row to expand it into configurable parameters for a new rule.
    Click to expand in new window
    IP Firewall Rules Screen - Adding a New Rule

    If adding a new rule, enter a name up to 32 characters.

  5. Select Add to add a new firewall rule.

    IP firewall configurations can either be modified as a collective group of variables or selected and updated individually as their filtering attributes require a more refined update.

    1. Select the Edit Rule icon to the left of a particular IP firewall rule configuration to update its parameters collectively.
      Click to expand in new window
      WLAN Security - IP Firewall Rules - Edit Rule Screen
    2. Click the icon within the Description column (top right-hand side of the screen) and select IP filter values as needed to add criteria into the configuration of the IP ACL.
      Click to expand in new window
      WLAN Security - IP Firewall Rules - Add Criteria Pop-up
      Click to expand in new window
      IWLAN Security - IP Firewall Rules - Add/Edit Specific Criteria Pop-up
      Note

      Note

      Only those selected IP ACL filter attributes display. Each value can have its current setting adjusted by selecting that IP ACL‘s column to display a pop-up to adjust that one value.
  6. Define the following IP firewall rule settings as required:
    Precedence Specify or modify a precedence for this IP policy between 1-5000. Rules with lower precedence are always applied to packets first. If modifying a precedence to apply a higher integer, it will move down the table to reflect its lower priority.
    Action Every IP Firewall rule is made up of matching criteria rules. The action defines the packet‘s disposition if it matches the specified criteria. The following actions are supported:
    • Deny - Instructs the firewall to restrict a packet from proceeding to its destination.
    • Permit - Instructs the firewall to allow a packet to proceed to its destination.
    Source Select the source for creating the ACL. Source options include:
    • Any - Indicates any host device in any network.
    • Network – Indicates all hosts in a particular network. Subnet mask information has to be provided for filtering based on network.
    • Host – Indicates a single host with a specific IP address.
    • Alias – Indicates a collection of IP addresses or hostnames or IP address ranges which are configured as a single unit. This is for ease of configuration of ACLs. When selected, all IP addresses or hostnames or IP address ranges are used in this ACL.
    Destination Select the destination for creating the ACL. Destination options include:
    • Any - Indicates any host device in any network.
    • Network – Indicates all hosts in a particular network. Subnet mask information has to be provided for filtering based on network.
    • Host – Indicates a single host with a specific IP address.
    • Alias – Indicates a collection of IP addresses or hostnames or IP address ranges which are configured as a single unit. This is for ease of configuration of ACLs. When selected, all IP addresses or hostnames or IP address ranges are used in this ACL.
    Protocol Set a service alias as a set of configurations consisting of protocol and port mappings. Both source and destination ports are configurable. Set an alphanumeric service alias (beginning with a $) and include the protocol as relevant.
    Network Service Alias The service alias is a set of configurations consisting of protocol and port mappings. Both source and destination ports are configurable. Set an alphanumeric service alias (beginning with a $ character and containing one special character) and include the protocol as relevant. Selecting either tcp or udp displays an additional set of specific TCP/UDP source and destinations port options.
    Source Port If using either tcp or udp as the protocol, define whether the source port for incoming IP ACL rule application is any, equals or an administrator defined range. If not using tcp or udp, this setting displays as N/A. This is the data local origination virtual port designated by the administrator. Selecting equals invokes a spinner control for setting a single numeric port. Selecting range displays spinner controls for Low and High numeric range settings. A source port cannot be a destination port.
    Destination Port If using either tcp or udp as the protocol, define whether the destination port for incoming IP ACL rule application is any, equals or an administrator defined range. If not using tcp or udp, this setting displays as N/A. This is the data local origination virtual port designated by the administrator. Selecting equals invokes a spinner control for setting a single numeric port. Selecting range displays spinner controls for Low and High numeric range settings.
    ICMP Type Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. The Internet Control Message Protocol (ICMP) uses messages identified by numeric type. ICMP messages are used for packet flow control or generated in IP error responses. ICMP errors are directed to the source IP address of the originating packet. Assign an ICMP type from 1-10.
    ICMP Code Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. Many ICMP types have a corresponding code, helpful for troubleshooting network issues (0 - Net Unreachable, 1- Host Unreachable, 2 - Protocol Unreachable etc.).
    Start VLAN Select a Start VLAN icon within a table row to set (apply) a start VLAN range for this IP ACL filter. The Start VLAN represents the virtual LAN beginning numeric identifier arriving packets must adhere to in order to have the IP ACL rules apply.
    End VLAN Select an End VLAN icon within a table row to set (apply) an end VLAN range for this IP ACL filter. The End VLAN represents the virtual LAN end numeric identifier arriving packets must adhere to in order to have the IP ACL rules apply.
    Protocol Select the protocol to filter for this ACL. Use the drop down to select from a list of predefined protocol or use the spinner control to set a particular protocol number.
    Mark Select this option to mark certain fields inside a packet before allowing them. Mark is applicable only for Allow rules. Mark sets the rule‘s 802.1p or dscp level (from 0 - 7).
    Log Select this option to create a log entry that a firewall rule has allowed a packet to be either denied or allowed.
    Enable Select this option to enable or disable this particular IP Firewall rule in this rule set.
    Description Lists the administrator assigned description applied to the IP ACL rule. Select a description within the table to modify its character string as filtering changes warrant. Select the icon within the Description table header to launch a Select Columns screen used to add or remove IP ACL criteria from the table.
  7. Select Add to add additional IP firewall rule configurations.
    Select Remove to remove selected IP firewall rules.
  8. Select OK when completed to update the IP firewall rules.
    Select Reset to revert to the last saved configuration.