Creating a firewall zone

You can create a common firewall zone or a zone on the CPE device.

To create a firewall zone:

1. Create a firewall zone in one of the following ways:
   • If you want to create a common firewall zone, go to the SD-WAN → Firewall zones section and in the upper part of the page, click + Firewall zone.
   • If you want to create a firewall zone on a CPE device, go to the SD-WAN → CPE menu section, click the device, and in the displayed settings area, select the Firewall settings → Zones tab, select the Override check box, and click + Firewall zone.

   A table of firewall zones is displayed.

2. This opens a window; in that window, in the Name field, enter the name of the firewall zone. Maximum length: 255 characters.
3. In the Input drop-down list, select the action that you want the firewall to apply to inbound traffic packets:
   • ACCEPT to accept traffic packets. Default value.
   • DROP to drop traffic packets.
   • REJECT to reject traffic packets with an icmp-reject message.
4. In the Output drop-down list, select the action that you want the firewall to apply to outbound traffic packets:
   • ACCEPT to accept traffic packets. Default value.
   • DROP to drop traffic packets.
   • REJECT to reject traffic packets with an icmp-reject message.
5. In the Forwarding drop-down list, select the action that you want the firewall to apply to traffic packets relayed between network interfaces and subnets:
   • ACCEPT to accept traffic packets. Default value.
   • DROP to drop traffic packets.
   • REJECT to reject traffic packets with an icmp-reject message.
6. If you want to replace the source IP address of outbound traffic packets from the zone with the IP address assigned to the egress network interface:
   1. Select the Masquerading check box. This check box is cleared by default.
   2. If you want to replace the source IP address only for traffic packets with the specified source subnet:
      1. Under Masquerading source subnets, click + Add.
      2. In the field that is displayed, enter an IPv4 prefix.

      The subnet is specified and displayed under Masquerading source subnets. You can specify multiple subnets; to delete a subnet, click the delete icon next to it.

   3. If you want to replace the source IP address only for traffic packets with the specified destination subnet:
      1. Under Masquerading destination subnets, click + Add.
      2. In the field that is displayed, enter an IPv4 prefix.

      The subnet is specified and displayed under Masquerading destination subnets. You can specify multiple subnets; to delete a subnet, click the delete icon next to it.

7. Clear the MSS clamp to PMTU check box if you do not want the firewall to limit the Maximum Segment Size (MSS) of traffic packets relayed through the zone to the Path Maximum Transmission Unit (PMTU) value minus 40. The purpose of subtracting 40 is to exclude the size of the TCP header. This check box is selected by default.
8. If you want the firewall to keep a log of traffic packets dropped in the zone, select the Drops logging check box. If logs created on a CPE device are sent to a Syslog server, you can view the logs on that server. If logs created on the CPE device are stored locally, you can view the logs by requesting diagnostic information. This check box is cleared by default.
9. If network interfaces of CPE devices are connected to L3 switches or routers, and you want to relay traffic packets from subnets of these switches or routers through the firewall zone, add the subnet to the zone:
   1. Under Networks, click + Add.
   2. In the field that is displayed, enter the IPv4 prefix of the subnet.

   The subnet is added and displayed under Networks. You can add multiple subnets; to delete a subnet, click the delete icon next to it.

10. Click Create.

    The firewall zone is created and displayed in the table.

11. If you have created a firewall zone on a CPE device, click Save in the upper part of the settings area to save the device settings.

You must add network interfaces to the created firewall zone. You can do this when creating or editing a network interface. If you created a firewall zone on a CPE device, the network interfaces that you add to the zone must be created on the same device.