Kaspersky SD-WAN supports a firewall for filtering traffic packets on a CPE device. The firewall can accept, drop, or reject traffic packets. If a traffic packet is rejected, its sender receives an icmp-reject
message. The firewall can apply each action to inbound and outbound traffic packets, as well as to traffic packets relayed between network interfaces and subnets of CPE devices. When specifying the basic firewall settings, you must set the default actions that the firewall performs with traffic packets.
To avoid configuring each CPE device individually, you can specify the firewall settings in the firewall template and then apply the template to CPE devices when adding or manually registering them. If you edit a setting in a firewall template, that setting is automatically modified on all CPE devices that are using the firewall template. If you edit a setting on the CPE device, the setting becomes independent of the firewall template, and if the setting is modified in the firewall template, it remains unchanged on the CPE device.
Firewall zones
You can add network interfaces and subnets to a firewall zone (hereinafter also referred to as 'zone') to receive, drop, or reject traffic packets transmitted through these network interfaces and subnets. When you create or edit a firewall zone, you need to specify the actions to be performed with traffic packets and, if necessary, add subnets. You can add network interfaces to a firewall zone when creating or editing a network interface.
If you want to allow transmitting traffic packets from one firewall zone to another, you need to create a forwarding. When creating a forwarding, you must specify the inbound and outbound firewall zones.
You can create common firewall zones that multiple CPE devices can use, as well as firewall zones on an individual CPE device.
Firewall rules
You can create firewall rules to accept, drop, or reject traffic packets based on specified criteria. For example, you can create a firewall rule that rejects traffic packets with a specified source firewall zone.
If you want to specify the same IP addresses or subnets in multiple firewall rules, you can create an IP set . When you create an IP set, you must specify whether the IP addresses and subnets belong to the source or the destination. You can specify the created IP set when creating or modifying a firewall rule.
When a traffic packet is forwarded to a CPE device, the action specified in the settings of one of the firewall rules is performed on the traffic packet. If none of the firewall rules can be applied, the action specified in the settings of the firewall zone to which this packet was forwarded is applied to the traffic packet. If the traffic packet was not forwarded to any of the firewall zones, the default action that you specified while specifying basic firewall settings is applied to the traffic packet.
Network address translation
The firewall supports the following network address translation (NAT) mechanisms:
DNAT rules and SNAT rules are applied to traffic packets based on the specified criteria. For example, you can create a DNAT rule that replaces the destination IP address of TCP traffic packets.