Firewall Rules

Firewall Rules examine the control information in individual packets. The Rules either block or allow those packets based on rules that are defined on these pages. Firewall Rules are assigned directly to computers or to Policies which are in turn assigned to a computer or collection of computers.

Solaris Agents will only examine packets with an IP frame type, and Linux Agents will only examine packets with IP or ARP frame types. Packets with other frame types will be allowed through. Note that the Virtual Appliance does not have these restrictions and can examine all frame types, regardless of the operating system of the virtual machine it is protecting.

Firewall Rule icons:

Normal Firewall Rules
Firewall Rules that operate according to a schedule

From the main page you can:

Create New () Firewall Rules from scratch
Import () Firewall Rules from an XML file (located under the New menu.)
Examine or modify the Properties of an existing Firewall Rule ()
Duplicate (and then modify) existing Firewall Rules ()
Delete a Firewall Rule ()
Export () one or more Firewall Rules to an XML or CSV file. (Either export them all by clicking the Export... button, or choose from the drop-down list to export only those that are selected or displayed)
Add/Remove Columns () columns can be added or removed by clicking Add/Remove Columns. The order in which the columns are displayed can be controlled by dragging them into their new position. Listed items can be sorted and searched by the contents of any column.

Firewall Rules that are assigned to one or more computers or that are part of a Policy cannot be deleted.

Clicking New () or Properties () displays the Firewall Rules Properties window.

Firewall Rule Properties

General Information

Name: The name of the Firewall Rule.
Description: A detailed description of the Firewall Rule.
Action: Your Firewall Rule can behave in four different ways. These are described here in order of precedence:
1. The traffic can bypass the firewall completely. This is a special rule that can cause the packets to bypass the Firewall and Intrusion Prevention engine entirely. Use this setting for media intensive protocols where filtering may not be desired. To find out more about the bypass rule, see "Bypass Rule" in the Reference section.
2. It can log only. This means it will only make an entry in the logs and not interfere with the traffic.
3. It can force allow defined traffic (it will allow traffic defined by this rule without excluding any other traffic.)
4. It can deny traffic (it will deny traffic defined by this rule.)
5. It can allow traffic (it will exclusively allow traffic defined by this rule.)
  If you have no Allow rules in effect on a computer, all traffic is permitted unless it is specifically blocked by a Deny rule. Once you create a single Allow rule, all other traffic is blocked unless it meets the requirements of the Allow rule. There is one exception to this: ICMPv6 traffic is always permitted unless it is specifically blocked by a Deny rule.
Only one rule action is applied to any particular packet, and rules (of the same priority) are applied in the order listed above.
Priority: If you have selected "force allow", "deny", or "log only" as your rule action, you can set a priority here of 0 (low) to 4 (highest). Setting a priority allows you to combine the actions of rules to achieve a cascading rule effect. Log only rules can only have a priority of 4, and Allow rules can only have a priority of 0.
The priority determines the order in which rules are applied. High priority rules get applied before low priority rules. For example, a port 80 incoming deny rule with a priority of 3 will drop a packet before a port 80 incoming force allow rule with a priority of 2 ever gets applied to it.
Packet Direction: Select whether this rule will be applied to incoming or outgoing traffic.
Frame Type: Select a frame type. Use the Not checkbox to specify whether you will be filtering for this frame type or anything but this frame type.
You can exclusively select IPv4 or IPv6. To specify either (both), select IP.

For a list of frame types, see the Internet Assigned Numbers Authority (IANA) Web site.
Protocol: Select or specify the protocol your rule will be looking for. Use the checkbox to specify whether you will be filtering for this protocol or anything but this protocol.
You can choose from the drop down list of predefined common protocols, or you can select "Other" and enter the protocol code yourself (a three digit decimal value from 0 to 255).

Packet Source

The following options apply to the packet header's source information:

IP: Specify an IP address, a masked IP address, an IP range, or select an IP list from one you defined in the IP Lists page.
MAC: Specify a MAC address or select a MAC list from one you defined in the MAC Lists page.
Port: You can specify a comma separated list of ports or a dash separated port range in the port(s) option as well as just a single port (e.g., 80, 443, 1-100) or select a Port list from one you defined in the Port Lists page.

Packet Destination

The following options apply to the packet header's destination information:

IP: Specify an IP address, a masked IP address, an IP range, or select an IP list from one you defined in the IP Lists page.
MAC: Specify a MAC address or select a MAC list from one you defined in the MAC Lists page.
Port: You can specify a comma separated list of ports or a dash separated port range in the port(s) option as well as just a single port (e.g., 80, 443, 1-100) or select a Port list from one you defined in the Port Lists page.

Specific Flags

If you have selected TCP, ICMP, or TCP+UDP as your protocol in the General Information section above, you can direct your Firewall Rule to watch for specific flags.

Events

Select whether to enable or disable logging Events because of this Rule. If event logging is enabled, you can record the packet data with the Event.

Note that any form of allow Rule (Allow, Force Allow, Bypass) will not log any events because they would overwhelm the database.

Options

Alert

Select whether or not this Firewall Rule should trigger an Alert when it is triggered. If you only wish this rule to be active during specific periods, assign a schedule from the drop-down list.

Only Firewall Rules whose "Action" is set to "Deny" or "Log Only" can be configured to trigger an Alert. (This is because Alerts are triggered by counters which are incremented with data from log files.)

Schedule

Select whether the Firewall Rule should only be active during a scheduled time.

Firewall Rules that are active only at scheduled times are displayed in the Firewall Rules page with a small clock over their icon (

With Agent-based protection, schedules use the same time zone as the endpoint operating system. With Agentless protection, schedules use the same time zone as the Deep Security Virtual Appliance.

Context

Rule Contexts are a powerful way of implementing different security policies depending on the computer's network environment. You will most often use Contexts to create Policies which apply different Firewall and Intrusion Prevention Rules to computers (usually mobile laptops) depending on whether that computer is in or away from the office.

Contexts are designed to be associated with Firewall and Intrusion Prevention Rules. If the conditions defined in the Context associated with a Rule are met, the Rule is applied.

To determine a computer's location, Contexts examine the nature of the computer's connection to its domain controller. For more information on Contexts, see Policies > Common Objects > Other > Contexts.

For an example of a Policy that implements Firewall Rules using Contexts, look at the properties of the "Windows Mobile Laptop" Policy.

Assigned To

This tab displays a list of Policies which include this Firewall Rule as well as any computers to which this Firewall Rule has been assigned directly. Firewall Rules can be assigned to Policies in the Policies page and to computers in the Computers page.