SD-WAN Orchestrator allows you to configure Firewall rules at the Profile and Edge levels to allow, drop, reject, or skip inbound and outbound traffic. The firewall uses the parameters such as source IP address/port, destination IP address/port, applications, application categories, and DSCP tags to create firewall rules.

To configure a firewall rule with stateful firewall-enabled at the profile level, perform the steps on this procedure.

Procedure

  1. From the SD-WAN Orchestrator, go to Configure > Profiles > Firewall.
  2. Enable Stateful Firewall for the selected profile.
  3. Under Firewall Rules area, click New Rule. The Configure Rule dialog box appears.
  4. In the Rule Name box, enter a unique name for the rule.
  5. Under the Match area, configure the match conditions for the rule:
    Settings Description
    Source Allows to specify the source for packets. Select any of the following options:
    • Any - Allows all source addresses by default.
    • Object Group - Allows you to select a combination of address group and port group.
    • Define - Allows you to define the source traffic to a specific VLAN, IP Address, MAC Address, or Port. For IP address, choose one of the three options:
      • CIDR prefix - Choose this option if you want the network defined as a CIDR value (for example: 172.10.0.0 /16).
      • Subnet mask - Choose this option if you want the network defined based on a Subnet mask (for example, 172.10.0.0 255.255.0.0).
      • Wildcard mask - Choose this option if you want the ability to narrow the enforcement of a policy to a set of devices across different IP subnets that share a matching host IP address value. The Wildcard mask matches an IP or a set of IP addresses based on the inverted Subnet mask. A '0' within the binary value of the mask means the value is fixed and a '1' within the binary value of the mask means the value is wild (can be 1 or 0). For example, a Wildcard mask of 0.0.0.255 (binary equivalent = 00000000.00000000.00000000.11111111) with an IP Address of 172.0.0, the first three octets are fixed values and the last octet is a variable value.
    Destination Allows to specify the destination for packets. Select any of the following options:
    • Any - Allows all destination addresses by default.
    • Object Group - Allows you to select a combination of address group and port group. For more information about Object Group, see Object Groups.
    • Define - Allows you to define the destination traffic to a specific VLAN, IP Address, MAC Address, or Port. For IP address, choose one of the three options: CIDR prefix, Subnet mask, or Wildcard mask.
    Application Allows to specify the applications to apply the firewall rule. Select any of the following options:
    • Any - Applies the firewall rule to any application by default.
    • Define - Allows you to select a specific application.
  6. Under the Action area, configure the actions for the rule:
    Settings Description
    Firewall Select any of the following action the firewall should perform on packets, when the conditions of the rule are met:
    • Allow - Allows the data packets by default.
    • Drop - Drops the data packets silently without sending any notification to the source.
    • Reject - Drops the packets and notifies the source by sending an explicit reset message.
    • Skip - Skips the rule during lookups and processes the next rule. However, this rule will be used at the time of deploying SD-WAN.
    Log Select this checkbox if you want a log entry to be created when this rule is triggered.
  7. Click OK.

Results

A firewall rule is created for the selected profile and it appears under the Firewall Rules area of the Profile Firewall page.