Understanding Firewall Policies
A user role, which determines a client’s network privileges, is defined by one or morefirewallFirewall is a network security system used for preventing unauthorized access to or from a private network.policies. AfirewallFirewall is a network security system used for preventing unauthorized access to or from a private network.policy consists of rules that define the source, destination, and service type for specific traffic, and whether you want themanaged deviceto permit or deny traffic that matches the rule.
You can configurefirewallFirewall is a network security system used for preventing unauthorized access to or from a private network.policies for IPv4 traffic or IPv6 traffic, and apply IPv4 and IPv6firewallFirewall is a network security system used for preventing unauthorized access to or from a private network.policies to the same user role. For example, if you have employees that use both IPv4 and IPv6 clients, you can configure both IPv4 and IPv6firewallFirewall is a network security system used for preventing unauthorized access to or from a private network.policies and apply them both to the “employee” user role.
The procedure to configure an IPv6firewallFirewall is a network security system used for preventing unauthorized access to or from a private network.policy rule is similar to configuring afirewallFirewall is a network security system used for preventing unauthorized access to or from a private network.policy rule for IPv4 traffic, but with some differences.Table 1describes the required and optional parameters for an IPv6firewallFirewall is a network security system used for preventing unauthorized access to or from a private network.policy rule.
Parameter |
Description |
Source of the traffic: : Acts as a wildcard and applies to any source address. : This refers to traffic from the wireless client. : This refers to traffic from a specific host. When this option is chosen, you must configure the IPv6 address of the host. For example, 2002:d81f:f9f0:1000:c7e:5d61:585c:3ab. subnetSubnet is the logical division of an IP network.of IP addresses. When you chose this option, you must configure the IPv6 address and network mask of thesubnetSubnet is the logical division of an IP network.. For example, 2002:ac10:fe:: ffff:ffff:ffff::. : This refers to a traffic that has a source IP from a: This refers to using an alias for a host or network. This release does not support IPv6 aliases. You cannot configure an alias for an IPv6 host or network. |
|
Destination of the traffic, which you can configure in the same manner as source. |
|
VoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network.services are unavailable for IPv6 policies. Type of traffic: : This option specifies that this rule applies to any type of traffic. TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data.ports to match the rule to be applied. : Using this option, you configure a range ofUDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received.ports to match the rule to be applied. : Using this option, you configure a range ofHTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.,HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands., and others) as the protocol to match the rule to be applied. You can also specify a network service that you configure by navigating to the page. : Using this option, you use one of the pre-defined services (common protocols such asTCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data.orUDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received.) by configuring the IP protocol value. :使用这个选项,你指定一个不同的层4 protocol (other than |
|
The action that you want themanaged deviceto perform on a packet that matches the specified criteria. :Permits traffic matching this rule. :滴数据包匹配此规则没有任何notification. The only actions for IPv6 policy rules are permit or deny; in this release, themanaged devicecannot performNATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.or redirection on IPv6 packets. You can specify options such as logging, mirroring, or blacklisting (described below). |
|
Logs a match to this rule. This is recommended when a rule indicates a security breach, such as a data packet on a policy that is meant only to be used for voice calls. |
|
Mirrors session packets to a datapath or remote destination specified in the IPv6firewallFirewall is a network security system used for preventing unauthorized access to or from a private network.function (seeTable 1). If the destination is an IP address, it must be an IPv4 IP address. |
|
The queue in which a packet matching this rule should be placed. Select for higher priority data, such as voice, and for lower priority traffic. |
|
Time range for which this rule is applicable. You configure time ranges in the page. |
|
Automatically blacklists a client that is the source or destination of traffic matching this rule. This option is recommended for rules that indicate a security breach where the blacklisting option can be used to prevent access to clients that are attempting to breach the security. |
|
Value ofToSType of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service.bits to be marked in the IP header of a packet matching this rule when it leaves themanaged device. |
|
Value of 802.1p priority bits to be marked in the frame of a packet matching this rule when it leaves themanaged device. |
The following example creates a policy ipv6-web-only that allows only web (HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.andHTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.) access for IPv6 clients and assigns the policy to the user role “web-guest."
The user role web-guest can include both IPv6 and IPv4 policies, although this example only shows configuration of an IPv6 policy. |