Managing firewall rules

The table of firewall rules is displayed in the firewall template and on the CPE device:

• To display the table of firewall rules in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
• To display the table of firewall rules on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Firewall settings → Rules tab.

The following firewall rules are created by default:

• Allow-GENEVE allows the CPE device to receive GENEVE packets from the WAN firewall zone. GENEVE packets are encapsulated Kaspersky SD-WAN traffic.
• Allow-DHCP-Renew allows the CPE device to receive BOOTP packets from the WAN firewall zone, which is necessary for DHCP to work.
• Allow-IGMP allows the CPE device to receive IGMP packets from the WAN firewall zone, which is necessary for VRRP and multicast to work.
• The following firewall rules are temporarily disabled until full support for IPv6 becomes available in Kaspersky SD-WAN:
  • Allow-DHCPv6 allows the CPE device to receive DHCPv6 packets from the WAN firewall zone, which is necessary for IPv6 to work.
  • Allow-MLD allows the CPE device to receive MLD packets from the WAN firewall zone, which is necessary for IPv6 to work.
  • Allow-ICMPv6-Input allows the CPE device to receive ICMPv6 packets from the WAN firewall zone, which is necessary for IPv6 to work.
  • Allow-ICMPv6-Forward-From-Wan allows the CPE device to receive ICMPv6 packets from the WAN firewall zone, which packets are forwarded to the LAN firewall zone, which is necessary for IPv6 to work.
  • Allow-ICMPv6-Forward-From-Lan allows the CPE device to receive ICMPv6 packets from the LAN firewall zone, which packets are forwarded to the WAN firewall zone, which is necessary for IPv6 to work.
• Explicit-deny-http(s)-on-wan blocks the CPE device from receiving TCP traffic packets with destination ports 80 or 443 to prevent access from the WAN firewall zone to the CPE device web server.

For the default firewall rules to work correctly, you need to add sd-wan<0–4> network interfaces to the WAN firewall zone. You can add network interfaces to a firewall zone when creating or editing a network interface.

Information about firewall rules is displayed in the following columns of the table:

• Name is the name of the firewall rule.
• Details contains criteria according to which the firewall applies the rule to traffic packets.
• Action is the action that the firewall rule applies to traffic packets.

Creating a firewall rule

You can create a firewall rule in a firewall template or on a CPE device. A firewall rule created in a firewall template is automatically created on all CPE devices that use this firewall template.

To create a firewall rule:

1. Create a firewall rule in one of the following ways:
   • If you want to create a firewall rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
   • If you want to create a firewall rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Rules tab, and select the Override check box.

   A table of firewall rules is displayed.

2. Click + Rule.
3. This opens a window; in that window, in the Name field, enter the name of the firewall rule. Maximum length: 255 characters.
4. In the Action drop-down list, select the action that the firewall rule applies to traffic packets:
5. Specify the criteria according to which the firewall must apply the firewall rule to traffic packets:
   1. If you want to apply the firewall rule only to traffic packets with the specified source or destination IP addresses or subnets, in the IP set drop-down list, select a created IP set. If you select a value from this drop-down list, the Source IP and Destination IP blocks become unavailable.
   2. If you want to apply the firewall rule only to traffic packets with the specified version of source or destination IP addresses or subnets, in the IP version drop-down list, select one of the following options:
      • IPv4
      • IPv6

      If you do not select a value, the firewall rule is applied to traffic packets with any version of source or destination IP addresses or subnets.

   3. If you want to apply the firewall rule only to traffic packets with the specified source firewall zone, in the Source zone drop-down list, select the created firewall zone.
   4. If you want to apply the firewall rule only to traffic packets with the specified destination firewall zone, in the Destination zone drop-down list, select a created firewall zone.
   5. If you want to apply the firewall rule only to traffic packets with the specified source IPv4 address or prefix, under Source IP, click + Add and enter an IPv4 address or prefix.

      The IPv4 address or prefix is specified and displayed under Source IP. You can specify multiple IPv4 addresses or prefixes or delete an IPv4 address or prefix. To delete an IPv4 address or prefix, click the delete icon next to it.

   6. If you want to apply the firewall rule only to traffic packets with the specified destination IPv4 address prefix, under Destination IP, click + Add and enter an IPv4 address or prefix.

      The IPv4 address or prefix is specified and displayed under Destination IP. You can specify multiple IPv4 addresses or prefixes or delete an IPv4 address or prefix. To delete an IPv4 address or prefix, click the delete icon next to it.

   7. If you want to apply the firewall rule only to traffic packets of the specified protocol, select a protocol in the Protocol drop-down list. When you select an option in this drop-down list, the DPI protocol drop-down list becomes unavailable.

      With TCP or UDP selected, if you want to apply the firewall rule only to traffic packets with the specified source and/or destination ports:

      1. In the Source port field, enter a source port number or a range of source port numbers.
      2. In the Destination port field, enter a destination port number or a range of destination port numbers.

      Range of values: 0 to 65,535. The format of the port number range is <first value>-<last value>. For example, you can enter 10 or 10-15.

   8. If you want to apply the firewall rule only to traffic packets of the specified application, select an application in the DPI protocol drop-down list.

      Traffic is attributed to applications using the DPI technology, which places additional load on the CPU of the CPE device.

      You can specify the DPI marks that determine the traffic packets the rule is applied to. If you disabled the DPI technology when specifying the basic settings of the firewall, the firewall rule is automatically disabled.

6. Click Create.

   The firewall rule is created and displayed in the table.

7. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

By default, the firewall rule is disabled. You must enable the firewall rule to have it applied to traffic packets.

Configuring the order of firewall rules

Firewall rules are applied to traffic packets in descending order, starting with the first firewall rule at the top of the table. By default, firewall rules are displayed in the table in the order of creation. The earlier a firewall rule was created, the higher it is displayed in the table.

You can configure the order in which firewall rules are applied in a firewall template or on a CPE device. The order in which firewall rules are applied, which is specified in the firewall template, is automatically propagated to all CPE devices that use this firewall template.

To configure the order in which firewall rules are applied:

1. Edit the order in which firewall rules are applied in one of the following ways:
   • If you want to configure the order in which firewall rules are applied in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
   • If you want to configure the order in which firewall rules are applied on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Rules tab, and select the Override check box.

   A table of firewall rules is displayed.

2. Configure the order in which firewall rules are applied by clicking the Up and Down buttons next to them.
3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Enabling or disabling a firewall rule

By default, firewall rules are created in a disabled state. You must enable the firewall rule to have it applied to traffic packets.

You can enable or disable a firewall rule in a firewall template or on a CPE device. A firewall rule enabled or disabled in a firewall template is automatically enabled or disabled on all CPE devices that use this firewall template.

To enable or disable a firewall rule:

1. Enable or disable a firewall rule in one of the following ways:
   • If you want to enable or disable a firewall rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
   • If you want to enable or disable a firewall rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Rules tab, and select the Override check box.

   A table of firewall rules is displayed.

2. Click Enable or Disable next to the firewall rule that you want to enable or disable.

   The firewall rule is enabled or disabled.

3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Editing a firewall rule

You can edit a firewall rule in a firewall template or on a CPE device. A firewall rule modified in a firewall template is automatically modified on all CPE devices that use this firewall template.

To edit a firewall rule:

1. Edit a firewall rule in one of the following ways:
   • If you want to edit a firewall rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
   • If you want to edit a firewall rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Rules tab, and select the Override check box.

   A table of firewall rules is displayed.

2. Click Edit next to the firewall rule that you want to edit.
3. This opens a window; in that window, if necessary, edit the firewall rule settings. For a description of the settings, see the instructions for creating a firewall rule.
4. Click Save.

   The firewall rule is modified and updated in the table.

5. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Deleting a firewall rule

You can delete a firewall rule in a firewall template or on a CPE device. A firewall rule deleted in a firewall template is automatically deleted on all CPE devices that use this firewall template.

Deleted firewall rules cannot be restored.

To delete a firewall rule:

1. Delete a firewall rule in one of the following ways:
   • If you want to delete a firewall rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
   • If you want to delete a firewall rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Rules tab, and select the Override check box.

   A table of firewall rules is displayed.

2. Click Delete next to the firewall rule that you want to delete.
3. In the confirmation window, click Delete.

   The firewall rule is deleted and is no longer displayed in the table.

4. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.