You can create up to 20,000 security rules. When this limit is reached, a warning is displayed.
To create a security rule:
In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.
This opens the Policy tab.
In the Firewall section, select Security rules.
In the upper part of the workspace, click the Create button.
This opens the security rule creation window.
A unique number (UUID) is automatically assigned to the rule.
Go to the General section and follow these steps:
If you want to apply the rule immediately after adding it, leave the Status toggle switch in the On position. If you do not want to apply the rule, set the toggle switch to Off. By default, the toggle switch is set to On.
If necessary, enable the logging of the session start or session end event. If logging is enabled, then an event corresponding to the beginning or end of the session that matches this security rule is recorded in the storage of the SIEM system. Logging of events about the beginning and end of sessions can be useful for incident investigation.
By default, logging is disabled.
In the Name field, enter a name for the new rule.
The name of the rule must be unique among all rules. The maximum length is 128 characters.
If necessary, in the Description field, enter an arbitrary description of the rule.
The maximum length is 256 characters.
If you want to change the priority of the created rule, in the Priority field, specify the position of the rule in the table.
By default, the rule is added to the end of the table, just in front of the default rule.
Select the action to be applied to traffic that matches the criteria of this rule:
Allow to allow all traffic.
Block to block traffic; packets of this session are not allowed.
Inspect to allow and enable traffic scanning by security engines.
Reset both to block traffic and send TCP RST to the client side and to the server side for TCP sessions.
By default, the Block action is selected for a new rule.
The security engine scan is performed only if the Inspect action is selected for the security rule.
You can change the selected action later when you edit the rule.
If you have selected the Inspect action, under Security engines, a drop-down list of security profile groups becomes available. Select a security profile group that you want to apply to traffic matching this rule. You can select a previously created group or create a new group by clicking Create.
By default, the default security profile group is used, which includes default security profiles.
If you want a rule to work only on certain days of the week during certain hours or for the duration of a specified period, in the Schedule section, select a type and name of the schedule. You can select a previously created schedule or create a new schedule.
If you want to configure filtering by source qualifier, go to the Source section and follow these steps:
Configure the qualifier by selecting Custom.
The Any option is selected by default.
Select the tab of the source type that you want to add:
Addresses. You can add and, if necessary, modify an existing address, or create a new address:
To add an existing address to the rule, set the toggle switch next to the relevant address to On. You can modify an existing address by selecting the check box next to it and clicking the Edit button.
To add multiple existing addresses, select the check boxes next to the relevant addresses and click Use in rule.
To create a new address, click Create. Select the type of the address (host, address range, subnet, or GeoIP) and enter the IP addresses. Then click Create.
For details about creating and editing addresses, see the section about address management.
The address is displayed or updated in the list of addresses on the Addresses tab.
Security zones. You can add and, if necessary, modify an existing security zone, or create a new network object:
To add the default security zone or an existing security zone to the rule, set the toggle switch next to the relevant security zone to On You can modify an existing security zone by selecting the check box next to it and clicking the Edit button. For default security zones, you can only edit the description.
To add multiple existing security zones, select the check boxes next to the relevant security zones and click Use in rule.
To create a new security zone, click Create. Enter a title and a description. Then click Create.
You can add up to 1000 security zones to a rule.
For details about creating and editing security zones, see the section about security zone management.
The security zone is displayed or updated in the table in the Security zones section.
You can only add security zone of the same type, L2 or L3. If you have added one or more security zones of one type to a rule (in the Source or in the Destination section), the table displays only security zones of the same type (for example, only L2 type zones). Zones of different types are hidden. You cannot add these to a rule until you remove all security zones of the different type from the rule. This limitation applies only if you selected the Custom option to manage qualifier settings.
The rule is applied to traffic only if the source interface of the device is added to the zone specified in the rule as the source, and the destination interface is added to the zone specified in the rule as the destination.
Users and groups. You can configure filtering by selecting a user or a user group as a source.
To add a user or group of users, click Add to open a window, and in that window, in the Type field, select User or Group. In the field Name field, enter the name of the user or user group exactly as specified in Active Directory.
You can add up to 16 records of different types to a rule.
If you want to configure filtering by destination qualifier, go to the Destination section. The address and security zone settings in this section are similar to those in the Source section.
In the destination qualifier, you can also configure filtering by FQDNs (fully qualified domain names). You can add or edit an existing domain name:
To add an existing domain name to the rule, set the toggle switch next to the relevant domain name to On. You can modify an existing domain name by selecting the check box next to it and clicking the Edit button.
To add multiple existing domain names, select the check boxes next to the relevant domain names and click Use in rule.
To create a new domain name, click Create. Enter the name, description, DNS server address, VRF name, and domain names. Then click Create.
You can add up to 16 records of different types to a rule.
If you want to configure filtering by service qualifier, go to the Services section and follow these steps:
Configure the qualifier by selecting Custom.
The Any option is selected by default.
Add an existing service from the list, create a new service, or modify an existing service:
To add an existing service to the rule, in the row with the relevant service, enable the toggle switch in the Used in rule column. You can modify an existing service by clicking its name.
To add multiple existing services, select the check boxes next to the relevant services and click Use in rule.
To create a new service, click Create. Enter a name and a description, add the protocol, configure the required protocol settings, and click Create.
You can add up to 16 services of different types to a rule.
For details about creating and modifying services, see the Services section.
The service is displayed or updated in the list of services on the Services tab.
If you want to configure filtering by application qualifier, go to the Applications section and specify the following application filtering criteria:
If you want to specify application protocols, in the Application protocols drop-down list, select the relevant protocols. Kaspersky NGFW also supports the filtering of VPN protocols such as OpenVPN, IPSec IKEv1/v2, WireGuard, and DNS tunnel, which can be selected from the drop-down list.
In sessions in which traffic is transmitted via the QUIC protocol, it is impossible to identify application services or a client application.
If you want to specify client applications, in the Client applications drop-down list, select the relevant applications.
If you want to specify application services, under Application services, select Select from list and select the check boxes next to individual services or service categories. To quickly find a service, you can use the search bar.
Services are organized in thematic categories. Each service can be included in one or more categories.
You can add one or more parameters to filters for protocols, applications, and application services.
If you configure filtering by unidentified applications, in the Application protocols, Client applications, or Application services drop-down lists, select Unknown. The action specified in the security rule will be applied to unidentified applications.
For details about filtering by application, see the Application Control section.
Save the rule by clicking Create.
The new rule is added to the list.
Apply the OSMP policy changes by clicking the Commit and push button.
The new security rule does not apply to sessions established before this security rule was created.