Editing a firewall zone on a CPE device

You can edit a previously created firewall zone on a CPE device.

You cannot edit a common zone because it can be used by a large number of CPE templates and devices, and editing such a zone would result in a mass update of all components that are using it, which would overload the orchestrator. If you want to edit the common zone, you must create a new common zone. To the created shared zone, you can add network interfaces and subnets that were added to the previous common zone.

To edit a firewall zone on a CPE device:

1. In the menu, go to the SD-WAN → CPE section.

   A table of CPE devices is displayed.

2. Click the CPE device.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Configuration tab is selected, which displays general information about the CPE device. This tab also displays the table of Out-of-band management tasks being performed by the orchestrator.

3. Select the Firewall settings → Zones tab.

   A table of firewall zones is displayed.

4. Select the Override check box.
5. Click the Edit button next to the zone that you want to edit.
6. This opens a window; in that window, in the Name field, enter the name of the firewall zone. Maximum length: 255 characters.
7. In the Input drop-down list, select the action that you want the firewall to apply to inbound traffic packets:
   • ACCEPT to accept traffic packets. Default value.
   • DROP to drop traffic packets.
   • REJECT to reject traffic packets with an icmp-reject message.
8. In the Output drop-down list, select the action that you want the firewall to apply to outbound traffic packets:
   • ACCEPT to accept traffic packets. Default value.
   • DROP to drop traffic packets.
   • REJECT to reject traffic packets with an icmp-reject message.
9. In the Forwarding drop-down list, select the action that you want the firewall to apply to traffic packets relayed between network interfaces and subnets:
   • ACCEPT to accept traffic packets. Default value.
   • DROP to drop traffic packets.
   • REJECT to reject traffic packets with an icmp-reject message.
10. If you want to replace the source IP address of outbound traffic packets from the zone with the IP address assigned to the egress network interface:
    1. Select the Masquerading check box. This check box is cleared by default.
    2. If you want to replace the source IP address only for traffic packets with the specified source subnet:
       1. Under Masquerading source subnets, click + Add.
       2. In the field that is displayed, enter an IPv4 prefix.

       The subnet is specified and displayed under Masquerading source subnets. You can specify multiple subnets; to delete a subnet, click the delete icon next to it.

    3. If you want to replace the source IP address only for traffic packets with the specified destination subnet:
       1. Under Masquerading destination subnets, click + Add.
       2. In the field that is displayed, enter an IPv4 prefix.

       The subnet is specified and displayed under Masquerading destination subnets. You can specify multiple subnets; to delete a subnet, click the delete icon next to it.

11. Clear the MSS clamp to PMTU check box if you do not want the firewall to limit the Maximum Segment Size (MSS) of traffic packets relayed through the zone to the Path Maximum Transmission Unit (PMTU) value minus 40. The purpose of subtracting 40 is to exclude the size of the TCP header. This check box is selected by default.
12. If you want the firewall to keep a log of traffic packets dropped in the zone, select the Drops logging check box. If logs created on a CPE device are sent to a Syslog server, you can view the logs on that server. If logs created on the CPE device are stored locally, you can view the logs by requesting diagnostic information. This check box is cleared by default.
13. If network interfaces of CPE devices are connected to L3 switches or routers, and you want to relay traffic packets from subnets of these switches or routers through the firewall zone, add the subnet to the zone:
    1. Under Networks, click + Add.
    2. In the field that is displayed, enter the IPv4 prefix of the subnet.

    The subnet is added and displayed under Networks. You can add multiple subnets; to delete a subnet, click the delete icon next to it.

14. Click Save.

    The firewall zone is modified and updated in the table.

15. In the upper part of the settings area, click Save to save CPE device settings.