Configuring general settings for firewall rules

Use the general settings area of the Firewall Rules page for the Network IPS appliance to describe rules and to specify actions and characteristics of the rule.

About this task

Navigating in the Network IPS Local Management Interface: Secure Protection Settings > Firewall > Firewall Rules

Navigating in the SiteProtector™ system: select the Firewall policy

Procedure

  1. Click the Add icon.
  2. Configure the following options:
    Option Description
    Rule ID Displays the rules order in the list.
    Enabled Enables the rule.
    Rule Comment Specifies a unique description for the rule.
    Log Specifies whether to log details of the packets that match the rule in the firewall log in the /var/iss/ directory.
    Action Specifies the action the firewall performs when the appliance detects a suspect packet:
    • Drop (Deny): Drops the packets as they go through the firewall. Because the firewall is inline, this action prevents the packets from reaching the target system. The connection most likely makes several attempts, and then the connection eventually times out.
    • Drop and Reset: Functions in the same manner as the Drop action, but sends a TCP reset to the source system. The connection terminates more quickly (because it is automatically reset) than with the Drop action.
    • Protect: Enables matching packets to be processed by responses such as (but not limited to) log evidence, block, and quarantine. Packets that match this rule are processed by PAM.
    • Monitor: Functions as an IP whitelist. Allows packets that match the statements to bypass the quarantine response and to bypass the block response. However, all other responses still apply to the packet.
    • Ignore: Allows the matching packet to pass through so that no further actions or responses are taken on the packet.
      Note: With firewall rules set in passive monitoring mode, use the Ignore action to filter traffic that you do not want the appliance to inspect. This setting is the only action setting that causes a response for firewall rules in passive monitoring mode.
    Rule Type Specifies the type of firewall rule:
    • Constructed: Enables the Network IPS Local Management Interface to construct the firewall rule for you by using the values that you specify.
    • Manually Entered: You construct your own firewall rules.
      Note: For more information, see Firewall rule syntax.
    Interfaces Specifies enabled or disabled interfaces.
    VLAN Specifies the range of VLAN tags.
    Protocol Specifies a protocol for the rule (Any, TCP, UDP, ICMP, ICMPv6, and Number).
    Notes:
    • If you select Any as the protocol for a rule, the following criteria is applied if the following conditions are met:
      • If you set an ICMP or an ICMPv6 code, then the appropriate clause is added to the rule.
      • If you set a source or destination port, then both a UDP clause and a TCP clause are added to the rule.
      • If you set a protocol Number greater than zero, then a protocol number clause is added to the rule.
      • If you do not specify protocol settings, then an IP clause is added to the rule. If specified, the source and destination IP addresses are also added.
    • If you set a protocol value other than Any, the firewall rule is set to that protocol only.
    • If you select the ICMP or ICMPv6 protocol, type the appropriate types or codes or click Well Known to select often-used types and codes.
  3. Click OK.

What to do next

On the Add Firewall Rules window, specify the IP address and the port settings for IPv4 or IPv6 networks.