Procedure for processing network traffic
Kaspersky IoT Secure Gateway 1000 processes traffic at the packet level according to firewall rules and the lists of allowed and blocked IP addresses.
Kaspersky IoT Secure Gateway 1000 stops processing a network packet on the first match with a rule; all the following rules are ignored.
The traffic processing procedure differs for unidirectional gateway and network router device types. The type of network device is defined when installing Kaspersky IoT Secure Gateway 1000.
Traffic processing procedure for the unidirectional gateway device type
If Kaspersky IoT Secure Gateway 1000 functions as unidirectional gateway, traffic processing rules are applied differently depending on the type of network.
For external network traffic, the rules are applied in the following order:
- Diagnostic firewall allow rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing traffic when starting Kaspersky IoT Secure Gateway 1000 self-diagnostics.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Outgoing traffic allow rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing traffic from a device on an internal network to a device on the external network.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Preset firewall allow rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They allow traffic over the ICPM protocol.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- VPN application allow rules.
These rules are delivered automatically after the VPN application is installed. They are required for allowing traffic initiated by the VPN application.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Preset firewall block rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for blocking all incoming traffic.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
For internal network traffic, the rules are applied in the following order:
- Diagnostic firewall allow rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing traffic when starting Kaspersky IoT Secure Gateway 1000 self-diagnostics.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Outgoing traffic allow rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing traffic between devices on the internal network.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Preset firewall allow rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They allow traffic over the ICPM and CARP protocols, as well as Kaspersky IoT Secure Gateway 1000 web interface traffic and the Kaspersky Security Center 14.2 Web Console traffic.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Deny rules for application protocol traffic filtering.
You can select application protocols whose traffic you want to block. Traffic processing rules will be generated according to your choices.
- Emergency support mode deny rules.
This list of rules applies only if emergency support mode is active. In that event, all traffic is blocked. You cannot modify these rules.
- IP address allowlist.
With Kaspersky IoT Secure Gateway Network Protector, you can add to the allowlist, edit and delete the IP addresses of devices whose traffic must be allowed.
- IP address denylist.
The list is generated automatically from information about suspicious industrial traffic filtered with Kaspersky IoT Secure Gateway Network Protector rules. You can set up filtering rules to block traffic that uses industrial protocols. You can also delete IP addresses previously added to the IP address denylist, if required.
- Custom firewall deny rules.
You can create, edit, or delete these rules for the internal and external networks.
- Custom firewall allow rules.
You can create, edit, or delete these rules for the internal and external networks.
- Preset Syslog and DHCP allow rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Rules to allow outgoing traffic over established connections.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing outgoing traffic in response to incoming requests from an external network.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Preset firewall block rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
Traffic processing procedure for the network router device type
If Kaspersky IoT Secure Gateway 1000 is functioning as a network router, traffic processing rules are applied in the following order:
- Diagnostic firewall allow rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing traffic when starting Kaspersky IoT Secure Gateway 1000 self-diagnostics.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Preset firewall allow rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They allow traffic over the ICPM and CARP protocols, as well as Kaspersky IoT Secure Gateway 1000 web interface traffic and the Kaspersky Security Center 14.2 Web Console traffic.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Deny rules for application protocol traffic filtering.
You can select application protocols whose traffic you want to block. Traffic processing rules will be generated according to your choices.
- Emergency support mode deny rules.
This list of rules applies only if emergency support mode is active. In that event, all traffic is blocked. You cannot modify these rules.
- IP address allowlist.
With Kaspersky IoT Secure Gateway Network Protector, you can add to the allowlist, edit and delete the IP addresses of devices whose traffic must be allowed.
- IP address denylist.
The list is generated automatically from information about suspicious industrial traffic filtered with Kaspersky IoT Secure Gateway Network Protector rules. You can set up filtering rules to block traffic that uses industrial protocols. You can also delete IP addresses previously added to the IP address denylist, if required.
- Address translation (NAT) allow rules.
- Custom firewall deny rules.
You can create, edit, or delete these rules for the internal and external networks.
- Custom firewall allow rules.
You can create, edit, or delete these rules for the internal and external networks.
- Preset Syslog, MQTT, DHCP, and DNS allow rules.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Rules to allow outgoing traffic over established connections.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing outgoing traffic in response to incoming requests from an external network.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
- Preset firewall block rules.
These rules block all incoming traffic. They are supplied as part of Kaspersky IoT Secure Gateway 1000. These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
