You can create a firewall rule in a firewall template or on a CPE device. A firewall rule created in a firewall template is automatically created on all CPE devices that use this firewall template.
To create a firewall rule:
Create a firewall rule in one of the following ways:
If you want to create a firewall rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
If you want to create a firewall rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall →Rules tab, and select the Override check box.
A table of firewall rules is displayed.
Click + Rule.
This opens a window; in that window, in the Name field, enter the name of the firewall rule. The maximum length of the name is 255 characters.
In the Action drop-down list, select the action that the firewall rule applies to traffic packets:
ACCEPT to accept traffic packets. Default value.
DROP to drop traffic packets.
REJECT to reject traffic packets with an icmp-reject message.
ADJ-MSS to change the value in the MSS field in the TCP header of the traffic packets to the specified MSS value. If you select this value, in the MSS value field, enter the MSS value. Range of values: 68 to 10,000.
Specify the criteria according to which the firewall must apply the firewall rule to traffic packets:
If you want to apply the firewall rule only to traffic packets with the specified source or destination IP addresses or subnets, in the IP set drop-down list, select a created IP set. If you select a value from this drop-down list, the Source IP and Destination IP blocks become unavailable.
If you want to apply the firewall rule only to traffic packets with the version of source or destination IPv4 addresses or subnets, in the IP version drop-down list, select IPv4: If you do not select a value, the firewall rule is applied to traffic packets with any version of source or destination IP addresses or subnets.
If you want to apply the firewall rule only to traffic packets with the specified source firewall zone, in the Source zone drop-down list, select the created firewall zone.
If you want to apply the firewall rule only to traffic packets with the specified destination firewall zone, in the Destination zone drop-down list, select a created firewall zone.
If you want to apply the firewall rule only to traffic packets with the specified source IPv4 address or prefix, under Source IP, click +Add and enter the source IPv4 address or prefix.
The IPv4 address or prefix is specified and displayed under Source IP. You can specify multiple IPv4 addresses or prefixes or delete an IPv4 address or prefix. To delete an IPv4 address or prefix, click the delete icon next to it.
If you want to apply the firewall rule only to traffic packets with the specified destination IPv4 address or prefix, under Destination IP, click +Add and enter the destination IPv4 address or prefix.
The IPv4 address or prefix is specified and displayed under Destination IP. You can specify multiple IPv4 addresses or prefixes or delete an IPv4 address or prefix. To delete an IPv4 address or prefix, click the delete icon next to it.
If you want to apply the firewall rule only to traffic packets of the specified protocol, select a protocol in the Protocol drop-down list. When you select an option in this drop-down list, the DPI protocol drop-down list becomes unavailable.
With TCP or UDP selected, if you want to apply the firewall rule only to traffic packets with the specified source and/or destination ports:
In the Source port field, enter a source port number or a range of source port numbers.
In the Destination port field, enter a destination port number or a range of destination port numbers.
Range of values: 0 to 65,535. The format of the port number range is <first value>-<last value>. For example, you can enter 10 or 10-15.
If you want to apply the firewall rule only to traffic packets of the specified application, select an application in the DPI protocol drop-down list.
Traffic is attributed to applications using the DPI technology, which places additional load on the CPU of the CPE device.