The table of firewall rules is displayed in the firewall template and on the CPE device:
To display the table of firewall rules in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
To display the table of firewall rules on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Firewall settings → Rules tab.
The following firewall rules are created by default:
Allow-GENEVE allows the CPE device to receive GENEVE packets from the WAN firewall zone. GENEVE packets are encapsulated Kaspersky SD-WAN traffic.
Allow-DHCP-Renew allows the CPE device to receive BOOTP packets from the WAN firewall zone, which is necessary for DHCP to work.
Allow-IGMP allows the CPE device to receive IGMP packets from the WAN firewall zone, which is necessary for VRRP and multicast to work.
The following firewall rules are temporarily disabled until full support for IPv6 becomes available in Kaspersky SD-WAN:
Allow-DHCPv6 allows the CPE device to receive DHCPv6 packets from the WAN firewall zone, which is necessary for IPv6 to work.
Allow-MLD allows the CPE device to receive MLD packets from the WAN firewall zone, which is necessary for IPv6 to work.
Allow-ICMPv6-Input allows the CPE device to receive ICMPv6 packets from the WAN firewall zone, which is necessary for IPv6 to work.
Allow-ICMPv6-Forward-From-Wan allows the CPE device to receive ICMPv6 packets from the WAN firewall zone, which packets are forwarded to the LAN firewall zone, which is necessary for IPv6 to work.
Allow-ICMPv6-Forward-From-Lan allows the CPE device to receive ICMPv6 packets from the LAN firewall zone, which packets are forwarded to the WAN firewall zone, which is necessary for IPv6 to work.
Explicit-deny-http(s)-on-wan blocks the CPE device from receiving TCP traffic packets with destination ports 80 or 443 to prevent access from the WAN firewall zone to the CPE device web server.
For the default firewall rules to work correctly, you need to add sd-wan<0–4> network interfaces to the WAN firewall zone. You can add network interfaces to a firewall zone when creating or editing a network interface.
Information about firewall rules is displayed in the following columns of the table:
Name is the name of the firewall rule.
Details contains criteria according to which the firewall applies the rule to traffic packets.
Action is the action that the firewall rule applies to traffic packets.