You can configure basic firewall settings in a firewall template or on a CPE device. Basic firewall settings specified in the firewall template are automatically propagated to all CPE devices that use this firewall template.
The firewall applies the actions specified in its basic settings to traffic packets. Traffic packets are affected by this if no firewall rules have been applied to them and they have not been forwarded to any of the firewall zones.
To specify the basic firewall settings:
Specify basic firewall settings in one of the following ways:
If you want to edit basic firewall settings in a firewall template, go to the SD-WAN → Firewall templates menu section and click the firewall template.
If you want to edit basic firewall settings on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall tab, and select the Override check box.
By default, the General settings tab is selected, which displays the main settings of the firewall.
If you want to disable SYN flood protection, clear the Syn-flood protection check box. This check box is selected by default. When SYN flood protection is enabled, a maximum of 25 traffic packets per second with the SYN, ACK, RST, and FIN flags can be sent to a CPE device.
If you want the firewall to drop traffic packets marked as invalid by the conntrack function, select the Drop invalid packets check box. This check box is cleared by default.
If you want to disable the DPI (Deep Packet Inspection) technology, clear the Enable DPI check box. This check box is selected by default. The DPI technology lets you create firewall rules that apply only to traffic packets of the specified application.
When the DPI technology is disabled, you cannot configure DPI marking, and firewall rules that use the DPI technology are automatically disabled.
In the Default INPUT action drop-down list, select the action that the firewall applies to inbound traffic packets:
ACCEPT to accept traffic packets. Default value.
DROP to drop traffic packets.
REJECT to reject traffic packets with an icmp-reject message.
In the Default OUTPUT action drop-down list, select the action that the firewall applies to outbound traffic packets:
ACCEPT to accept traffic packets. Default value.
DROP to drop traffic packets.
REJECT to reject traffic packets with an icmp-reject message.
In the Default FORWARD action drop-down list, select the action that the firewall applies to traffic packets forwarded between network interfaces and subnets:
ACCEPT to accept traffic packets. Default value.
DROP to drop traffic packets.
REJECT to reject traffic packets with an icmp-reject message.
In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.