About Firewall rules

The firewall rules are divided into preset and custom. Kaspersky IoT Secure Gateway 1000 supports rules for the TCP and UDP protocols (only IPv4). Stateful Packet Inspection is enabled for these protocols . In addition, the Kaspersky IoT Secure Gateway 1000 firewall checks network traffic against the lists of blocked and allowed IP addresses.

Preset firewall rules

Preset rules are supplied as part of Kaspersky IoT Secure Gateway 1000 and ensure full operation of the Kaspersky IoT Secure Gateway 1000 firewall. These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console. Preset rules allow the following Kaspersky IoT Secure Gateway 1000 connection types:

• Outgoing connections with the Kaspersky Security Center 14.2 Web Console over the TCP protocol;
• Incoming connections with the local web server over the HTTPS protocol;
• Outgoing connections with the Syslog server over the TCP and UDP protocols;
• Outgoing and incoming connections with MQTT data sources over the TCP protocol;
• Outgoing and incoming connections with external and internal DNS servers over the UDP protocol;
• Outgoing and incoming connections with devices combined into a network cluster (if activated and configured).

Custom firewall rules

You can manually create custom firewall rules, and edit or delete rules of this type. Changes to the configuration of custom rules are applied to the system after Kaspersky IoT Secure Gateway 1000 and Kaspersky Security Center are synchronized. Custom firewall rules are checked in the order defined in the Kaspersky Security Center 14.2 Web Console, from top to bottom. You can create up to 512 custom firewall rules. Events of creation, modification, and deletion of custom rules, as well as of reaching their limit, are recorded in the event log.

Custom rules can also be received from third-party intrusion detection tools that Kaspersky IoT Secure Gateway 1000 integrates with via Kaspersky Security Center OpenAPI.

Kaspersky IoT Secure Gateway 1000 cannot independently detect attacks that originate on an external network. This requires integration with third-party intrusion detection tools. Kaspersky IoT Secure Gateway 1000 and intrusion detection tools must be connected to the same instance of Kaspersky Security Center Administration Server.

When suspicious network activity or a possible intrusion from an external network is detected, the third-party intrusion detection system sends a rule to Kaspersky IoT Secure Gateway 1000 to block the source of the suspicious network activity. Kaspersky IoT Secure Gateway 1000 creates the rule in the firewall and blocks the source IP address according to that rule.

The created rule remains valid indefinitely. You can delete the rule manually if needed.

You can view the table of custom firewall rules in Kaspersky Security Center 14.2 Web Console in the Network → Firewall section. The following information is displayed for each rule:

• Rule status – active status of the custom rule: Enabled or Disabled.
• Action – action to be applied to the traffic passing through the firewall: Allow or Block.
• Zone – custom rule scope: Internal network or External network.
• IP address (source) – IP address of the network traffic source.
• Port (source) – port of the network traffic source.
• IP address (target) – IP address of the network traffic destination.
• Port (target) – port of the network traffic destination.
• Protocol – protocol used when scanning the network traffic: TCP, UDP.

The following limitations apply to the custom firewall rules of Kaspersky IoT Secure Gateway 1000:

• It is not allowed to specify the device domain name as the source or destination of the network traffic (including localhost, which is the standard domain name for private IP addresses).
• It is not allowed to use service ports reserved by the system as source or destination ports: 53, 67, 68, 443, 13294, 1883, 8883, 514.