Kaspersky SD-WAN supports a firewall for filtering traffic packets on a CPE device. The firewall can accept, drop, or reject traffic packets. If a traffic packet is rejected, its sender receives an icmp-reject message. The firewall can apply each action to inbound and outbound traffic packets, as well as to traffic packets relayed between network interfaces and subnets of CPE devices. When specifying the basic firewall settings, you must set the default actions that the firewall performs with traffic packets.
To avoid configuring each CPE device individually, you can specify the firewall settings in the firewall template and then apply the template to CPE devices when adding or manually registering them. If you edit a setting in a firewall template, that setting is automatically modified on all CPE devices that are using the firewall template. When you edit a setting on a CPE device, that setting becomes independent of the firewall template. When the same setting is edited in the firewall template, the change is not propagated to the CPE device.
Firewall zones
You can add network interfaces and subnets to a firewall zone (hereinafter also referred to as 'zone') to receive, drop, or reject traffic packets transmitted through these network interfaces and subnets. When you create or edit a firewall zone, you need to specify the actions to be performed with traffic packets and, if necessary, add subnets. You can add network interfaces to a firewall zone when creating or editing a network interface.
If you want to allow transmitting traffic packets from one firewall zone to another, you can create a forwarding. When creating a forwarding, you must specify the inbound and outbound firewall zones.
You can create common firewall zones that multiple CPE devices can use, as well as firewall zones on an individual CPE device.
You cannot edit a common firewall zone because it can be used by a large number of CPE templates and CPE devices, and editing such a firewall zone would result in a mass update of all CPE templates and CPE devices that are using it, which would overload the orchestrator. If you want to edit the common firewall zone, you must create a new common firewall zone. To the created common firewall zone, you can add network interfaces and subnets that were added to the previous common firewall zone.
Firewall rules
You can create firewall rules to accept, drop, or reject traffic packets based on specified criteria. For example, you can create a firewall rule that rejects traffic packets with a specified source firewall zone.
If you want to specify the same IP addresses or subnets in multiple firewall rules, you need to create an IP set . When you create an IP set, you must specify whether the IP addresses and subnets belong to the source or the destination. You can specify the created IP set in firewall rule settings.
When a traffic packet is forwarded to a CPE device, the action specified in the settings of one of the firewall rules is performed on the traffic packet. If none of the firewall rules can be applied, the action specified in the settings of the firewall zone to which this packet was forwarded is applied to the traffic packet. If the traffic packet was not forwarded to any of the firewall zones, the default action that you specified while specifying basic firewall settings is applied to the traffic packet.
Network address translation
The firewall supports the following network address translation (NAT) mechanisms:
DNAT rules and SNAT rules are applied to traffic packets based on the specified criteria. For example, you can create a DNAT rule that replaces the destination IP address of TCP traffic packets.