The Firewall, or "Security Policy" as we call it in our newer generation devices, is the core of our devices. This tutorial is supposed to give you a basic understanding in the ways of working of our Firewall appliance and should ready you to make your first steps in creating your own firewall rules!
Interfaces, Zones and Security Policies
Interfaces
Before we dive deep into the configuration, we first have to shortly talk about how we structure our firewalls - which we for the sake of ease of read will just further refer to as "USG" or "ATP". Our USG consists of multiple interfaces, from WAN ports to LAN ports to all other virtual interfaces you create on the unit.
Interfaces are basically independent network segments on the gateway and can be found within the menu path
Configuration > Network > Interface
In this example, a screenshot of the default ethernet interfaces on an ATP200:
Zones
Now that we understand the very core concept of the interfaces, let's move over to Zones, as especially the Zones will become important for our firewall rules / security policies. In most cases, a USG or ATP will consist of multiple LANs, multiple VLANs and/or multiple WANs as well. When it comes to firewall rules, you might have a group of interfaces which you want to have the same rules applying to - most likely you want to have all LAN groups having the same rights throughout the network, or you want your multiple WAN ports treated the same. In this case, the Zones are a perfect container for interfaces. In case you might be wondering, what is meant by this statement - this should hopefully become clear very soon.
In the Zone menu via
Configuration > Object > Zone
you can find the different default zones and the interface assignments toward these zones:
In the same sense like you have multiple so called "Objects" in the Zone, you can create also multiple Address objects, service objects and many more different types of objects.
Objects
Since this tutorial is supposed to rather give a picture on creating firewall rules / security policies, let's keep this chapter short: the USG / ATP series work with so called objects. Objects are, as the name says, objects within a database, e.g. address objects, service objects (ports and protocols), among many other objects. These objects per se have no function and are just a database. The real magic happens when we place these objects within policies, such as the security policy (firewall rule).
Just as an example, here a screenshot of the service object list, which can be found via
Configuration > Object > Service
As you may see, there are plenty of objects already prepared for direct use within the policies.
Security Policies / Firewall rules
Now, that we have gone through the prerequisites of understanding Interfaces, Zones and Objects, we now can move over to actually creating firewall rules. The menu for this can be found via
Configuration > Security Policy > Policy Control
and it looks like this:
The vast majority of Firewall rules which you'd normally integrate into your network are already preconfigured by default, for example the full access from the outside (WAN) to the inside (LAN) of your network of course is blocked to counteract malicious attacks from the internet. Also, for example, your LAN to WAN access on the other hand is unrestricted, because it is a user preference if you want to block some ports for your LAN clients.
We now see in the policy rules different columns:
- Priority: Order of the Firewall rule - firewall rules run from top to bottom, in that specific order
- Status: shows if the rule is active - yellow is on, grey is off
- Name: Name of the firewall rule
- From: Refers to the Zone from which traffic if coming
- To: Refers to the Zone to which traffic will be flowing
- IPv4 Source: Refers to an Address Object, makes it easier to finetune firewall rules to specific IPv4-Sources
- IPv4 Destination: Refers to an Address Object, makes it easier to finetune firewall rules to specific IPv4-Destinations
- Service: Refers to a service-object, allows to create a rule which is only applicable to a single port/protocol or a group of ports/protocols
- User: Allows fine-tuning of the firewall rule to only be applicable to user objects/user groups
- Schedule: This allows for setting up the firewall to only become active during a specific time-schedule (useful for parental control, school applications etc.)
- Action: Defines, if the traffic matching all above parameters is allowed to pass or is denied
- Log: Here, you can set if you want a log entry in case matching traffic flows through the firewall
- Profile: In this segment you can add UTM Services and their respective profiles (for example content filter profiles etc.)
Now, that we have discovered the different things one can set up within policy control, let's just make up an example for a configuration:
Goal: We want to block LAN1 to LAN2, but everything else both LAN1 and LAN2 reach out shall not be blocked.
By default, LAN1 and LAN2 are simply allowed to access anything: From LAN1 (or LAN2, for that matter) To any (Excluding ZyWall ) allows both LAN networks accessing each other. In order to disallow this, we can simply "cut off" the allowance via a firewall rule set to the very top, disallowing one specific direction. In our example, we will disallow LAN2 to LAN1. Since communication is a two-way street, this should also interrupt any attempt to gain access from LAN1 to LAN2:
We are setting the action to deny. This action will just simply drop the packet, other then the reject option, will send back information to the accessing device on why it is not allowed to access the network. The information based on the reject-action can be easily be used to intercept and hack the device, so it is not recommended in most cases.
We also set the "log denied traffic" as log alert, this will show us in red letters an entry in the log when somebody tries to still access the network.
After setting up this rule, you should be able to see log entries as soon as somebody tries to enter according to your firewall rule.
Here an example of how these logs could look like (different rule than our LAN1 --> LAN2 rule we created above, just for demonstration purposes:
Monitor > Log
These first step instructions should get you easily going on creating your first firewall rules on your security gateway appliances!