Creating a Firewall Policy for Network Services

To create a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy, complete the following procedure:

To configure a Branch Gateway group or a Branch Gateway, complete either one of these steps:

To select a gateway group:
1. In the Classic Central app, set the filter to a group that contains at least one Branch Gateway.
  
  The dashboard context for a group is displayed.
2. Under Manage, click Devices > Gateways.
  
  A list of gateways is displayed in the List view.
3. Click Config.
  
  The configuration page is displayed for the selected group.
To select a gateway:
1. In the Classic Central app, set the filter to Global or a group that contains at least one Branch Gateway.
2. Under Manage, click Devices > Gateways.
  
  A list of gateways is displayed in the List view.
3. Click a gateway under Device Name.
  
  The dashboard context for the gateway is displayed.
4. Under Manage, click Device.
  
  The gateway device configuration page is displayed.

If you are in the Basic Mode, click Advanced Mode to access the advanced configuration.
Click Security > Policies.
Click the icon in the Policies table to create a new policy.

The Add policy pop-up window is displayed

Select a policy type from the Policy type drop-down list. You can select Session, Ethertype, MAC, Route, Extended, or Standard.
Enter the policy name in the Policy name field.
Click Save.

The following animation shows you how to create a firewall policy.

Configuring Access Rules

To configure access rule, complete the following procedure:

From the list of policies, select the policy that you created and click the icon in the Policy > <policy name> table.
To add a rule to restrict packet flow or permit access to network or services, configure the following parameters:

Table 1: Firewall Policy Rule Parameters
Parameter	Description
IP version	Specifies the IP version that the policy applies to. Select IPv4.
Source (required)	Source of the traffic, which can be one of the following: Any—Acts as a wildcard and applies to any source address. User—Refers to the traffic from the wireless client. Host—Refers to the traffic from a specific host. When this option is selected, specify the IP address of the host. Network—Refers to the traffic that has a source IP from a subnet Subnet is the logical division of an IP network. of IP addresses. When this option is selected, specify the IP address and network mask of the subnet. Alias—Refers to using an alias for a host or network. Local IP—Refers to the local IP address. User Role—Refers to the user role to be assigned.
Destination (required)	Destination of the traffic.
Service/app (required)	Type of traffic, which can be one of the following: Any—This option specifies that this rule applies to any type of traffic. TCP—Using this option, you configure a range of TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. ports to match for the rule to be applied. UDP—Using this option, you configure a range of UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. ports to match for the rule to be applied. Service—Using this option, you use one of the pre-defined services (common protocols such as HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. and HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.) as the protocol to match for the rule to be applied. Protocol—This option specifies the routing protocol. Application—This option specifies the application name. App Category—This option specifies the category of the application. Web Category/Reputation—This option specifies the name of the web content category or the predefined web content reputation level.
Action (required)	The action that Branch Gateway should take on a packet that matches the specified criteria. Deny—Denies traffic not matching this rule. Permit—Permits the traffic matching this rule. Remark-only—Select this option from the drop-down list to indicate that the traffic can be forwarded based on the QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. profile selected. To set the Action type as Remark-only, you must enter a value for the DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. parameter or select a value from the drop-down list for 802.p priority or Queue parameters. Redirect—This option redirects the traffic to a GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel. This option is used primarily to redirect all guest traffic to a GRE tunnel and then to a DMZ router or switch. Destination NAT—Redirects traffic to the configured IP address and destination port. An example of this option is to redirect all HTTP packets to the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. port on the Branch Gateway as used in the predefined policy called captive portal. This action functions in tunnel or decrypt-tunnel forwarding mode. User should configure the NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool in the Branch Gateway. Source and Destination NAT—This option performs both source and destination NAT Destination Network Address Translation. Destination NAT is a process of translating the destination IP address of an end route packet in a network. Destination NAT is used for redirecting the traffic destined to a virtual host to the real host, where the virtual host is identified by the destination IP address and the real host is identified by the translated IP address. on packets matching the rule. This action forwards packets from the source network to the destination network and re-marks them with destination IP of the target network. This action functions in tunnel or decrypt-tunnel forwarding mode. User should configure the NAT pool in the Branch Gateway. Source NAT—Performs network address translation on packets matching the rule. The options available are: NAT Pool—When this option is selected, you must to select a NAT pool. This action functions in the tunnel or decrypt-tunnel forwarding mode. VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.—When this option is selected, you must select a VLAN ID. The source IP address of the network changes to the IP address of the VLAN (NAT pool is automatically configured). Route Source NAT—Routes traffic based on source address. Route Destination NAT—Routes traffic based on destination address.
DSCP (optional)	Option to re-tag the traffic with the specified DSCP tag in the IP header of the packet that matches this rule when it leaves the Branch Gateway.
Time Range	You can allow or deny access during specific time range. You can either create an absolute time range with a single fixed start and end date and time; or a periodic (recurring) time range that starts and ends at a specified time on a weekday, weekend, or selected day.
802.1p Priority (optional)	When this parameter is enabled, the value of 802.1p priority bits are marked in the frame of a packet matching this rule when it leaves the Branch Gateway. 0 represents the lowest priority (background traffic) and 7 represents the highest priority (network control).
Options	Select the required options: Log—Logs a match to this rule. This is recommended when a rule indicates a security breach, such as a data packet on a policy that is meant only to be used for voice calls. Mirror—Mirrors session packets to datapath or remote destination. Denylist—Automatically denylists a client that is the source or destination of the traffic matching this rule. This option is recommended for rules that indicate a security breach where the denylisting option can be used to prevent access to clients that are attempting to breach the security. Disable Scanning—Disable AP scanning other channels.
Queue (optional)	The queue in which a packet matching this rule should be placed. Select High for higher-priority data, such as voice, and Low for lower-priority traffic.
Position	The position of the rule in the Policy <policy name> table, where 1 is first and default is last.

The following animation shows you how to add a rule to restrict packet flow or permit access to network or services.