Nebula - Configure Firewall Rules on your Security Gateway [Security Policy]

Created - Updated
Serhii Boiarynov
Print Friendly and PDF
Have more questions? Submit a request

This article will show you how to block specific traffic on your firewall [USG FLEX, ATP Series]. In this tutorial, we will guide you through the needed steps on the Nebula Control Center (NCC) to block traffic. You can either block traffic through subnetting, Geo-IP or block everything and only allow certain subnets or regions in the world. 

 

1) Subnet Blocking

In this example, we want to restrict a client in our LAN1 (192.168.1.100) to access any client in LAN2 (192.168.2.1).

First, please navigate to the Nebula Control Center and go to:

Site-wide > Configure > Firewall > Security Policy

Then, add an "outbound rule":
In this example, we are blocking anything from 192.168.1.100 (mostly within the LAN1 subnet range) to 192.168.2.1/24
mceclip0.png

 

2) GeoIP Blocking

New firewall rule feature includes GeoIP in Nebula where you can allow or block only certain countries. Because you cannot block regions (Asia, North America etc.) [update: Jan 2023], we recommend that you only allow the countries that you trust.

 

For example, if you have your main office in Sweden, and you have an office in UK, and you also set the DNS server to 8.8.8.8 on LAN (which is located in the U.S.), you can set a rule allowing only Sweden, UK and the U.S. and then you block everything else as shown below: 

 

 

Things to consider:

  • When testing the firewall rule, most likely you will ping (when looking at our example) the LAN2 gateway interface IP and to your shock will find out that you still can ping the gateway! Is this because the interface's own IP is set to a firewall-zone outside of both LAN1 or LAN2, but actually the device itself, also referred to as "ZyWall"
  • Using the Security Gateway Services below will allow specific services to be accessible from WAN onto the device ("ZyWall"). If you enter in both fields any e.g., clients from the WAN can both Ping and access the unit on the WAN-port vias HTTPS

  • There are plenty of rules in the background going on. Here a small glimpse of some of the firewall rules as hardcoded into the configuration of the unit:
    mceclip2.png
    These are not displayed on the Nebula Control Center and are not changeable.

Articles in this section

See more
Was this article helpful?
0 out of 4 found this helpful
Share