Creating a firewall zone

You can create a common firewall zone or a firewall zone on the CPE device.

To create a firewall zone:

Create a firewall zone in one of the following ways:
- If you want to create a common firewall zone, go to the SD-WAN → Firewall zones section and in the upper part of the page, click + Firewall zone.
- If you want to create a firewall zone on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Zones tab, select the Override check box, and click + Firewall zone.
A table of firewall zones is displayed.
This opens a window; in that window, in the Name field, enter the name of the firewall zone. Maximum length: 255 characters.
In the Input drop-down list, select the action that the firewall applies to inbound traffic packets:
- ACCEPT to accept traffic packets. Default value.
- DROP to drop traffic packets.
- REJECT to reject traffic packets with an icmp-reject message.
In the Output drop-down list, select the action that the firewall applies to outbound traffic packets:
- ACCEPT to accept traffic packets. Default value.
- DROP to drop traffic packets.
- REJECT to reject traffic packets with an icmp-reject message.
In the Forwarding drop-down list, select the action that the firewall applies to traffic packets forwarded between network interfaces and subnets:
- ACCEPT to accept traffic packets. Default value.
- DROP to drop traffic packets.
- REJECT to reject traffic packets with an icmp-reject message.
If you want to enable masquerading to replace the source IP address of outbound traffic packets from the firewall zone with the IP address assigned to the egress network interface:
1. Select the Masquerading check box. This check box is cleared by default.
2. If you want to replace the source IP address only for traffic packets with the specified source subnet, under Masquerading source subnets, click + Add and enter an IPv4 prefix.
  The subnet is specified and displayed under Masquerading source subnets. You can specify multiple subnets or delete a subnet. To delete a subnet, click the delete icon next to it.
3. If you want to replace the destination IP address only for traffic packets with the specified source subnet, under Masquerading destination subnets, click + Add and enter an IPv4 prefix.
  The subnet is specified and displayed under Masquerading destination subnets. You can specify multiple subnets or delete a subnet. To delete a subnet, click the delete icon next to it.
Clear the MSS clamp to PMTU check box if you do not want the firewall to limit the Maximum Segment Size (MSS) of traffic packets relayed through the firewall zone to the Path Maximum Transmission Unit (PMTU) value minus 40. The purpose of subtracting 40 is to exclude the size of the TCP header. This check box is selected by default.
If you want the firewall to keep a log of traffic packets dropped in the firewall zone, select the Drops logging check box. If logs created on a CPE device are sent to a Syslog server, you can view the logs on that server. If logs created on the CPE device are stored locally, you can view the logs by requesting diagnostic information. This check box is cleared by default.
If network interfaces are connected to L3 switches or routers, and you want to relay traffic packets from subnets of these L3 switches or routers, add a subnet to the firewall zone. To do so, under Networks, click + Add and enter an IPv4 subnet prefix.
The subnet is added and displayed under Networks. You can add multiple subnets or delete a subnet. To delete a subnet, click the delete icon next to it.
Click Create.
The firewall zone is created and displayed in the table.
If you have created a firewall zone on a CPE device, click Save in the upper part of the settings area to save the CPE device settings.

You must add network interfaces to the created firewall zone. You can do this when creating or editing a network interface. If you created a firewall zone on a CPE device, the network interfaces that you add to the firewall zone must be created on the same CPE device.

Page top