All the edges inherit the firewall rules and edge access configurations from the associated Profile. Under the Firewall tab of the Edge Configuration dialog, you can view all the inherited firewall rules in the Rule From Profile area. Optionally, at the edge-level, you can also override the Profile Firewall rules and edge access configuration.
As an Enterprise Administrator, you can configure Port Forwarding and 1:1 NAT firewall rules individually for each edge by following the instructions on this page.
By default, all inbound traffic will be blocked unless the Port Forwarding and 1:1 NAT Firewall Rules are configured. The outside IP will always be that of WAN IP or IP address from WAN IP subnet.
Port Forwarding and 1:1 NAT Firewall Rules
Port Forwarding and 1:1 NAT firewall rules gives Internet clients access to servers connected to an Edge LAN interface. Access can be made available through either Port Forwarding Rules or 1:1 NAT (Network Address Translation) rules.
Port Forwarding Rules
Port forwarding rules enable you to configure rules to redirect traffic from a specific WAN port to a device (LAN IP/ LAN Port) within the local subnet. Optionally, you can also restrict the inbound traffic by an IP or a subnet. Port forwarding rules can be configured with the Outside IP which is on the same subnet of the WAN IP. It can also translate outside IP addresses in different subnets than the WAN interface address if the ISP routes traffic for the subnet towards the SD-WAN Edge.
To configure a port forwarding rule, provide the following details.
- In the Name text box, enter a name (optional) for the rule.
- From the Protocol drop-down menu, select either TCP or UDP as the protocol for port forwarding.
- From the Interface drop-down menu, select the interface for the inbound traffic.
- In the Outside IP text box, enter the IP address using which the host (application) can be accessed from the outside network.
- In the WAN Ports text box, enter one WAN port or range of ports separated with a dash (-), for example 20-25.
- In the LAN IP and LAN Port text boxes, enter the IP address and port number of the LAN, where the request will be forwarded.
- From the Segment drop-down menu, select a segment the LAN IP will belong to.
- In the Remote IP/subnet text box, specify an IP address of an inbound traffic that you want to be forwarded to an internal server. If you do not specify any IP address, then it will allow any traffic.
The following figure illustrates the port forwarding configuration.
1:1 NAT Settings
These are used to map an Outside IP address supported by the SD-WAN Edge to a server connected to an Edge LAN interface (for example, a web server or a mail server). It can also translate outside IP addresses in different subnets than the WAN interface address if the ISP routes traffic for the subnet towards the SD-WAN Edge. Each mapping is between one IP address outside the firewall for a specific WAN interface and one LAN IP address inside the firewall. Within each mapping, you can specify which ports will be forwarded to the inside IP address. The '+' icon on the right can be used to add additional 1:1 NAT settings.
To configure a 1:1 NAT rule, provide the following details.
- In the Name text box, enter a name for the rule.
- In the Outside IP text box, enter the IP address with which the host can be accessed from an outside network.
- From the Interface drop-down menu, select the WAN interface where the Outside IP address will be bound.
- In the Inside (LAN) IP text box, enter the actual IP (LAN) address of the host.
- From the Segment drop-down menu, select a segment the LAN IP will belong to.
- Select the Outbound Traffic checkbox, if you want to allow traffic from LAN Client to Internet being NATed to Outside IP address.
- Enter the Allowed Traffic Source (Protocol, Ports, Remote IP/Subnet) details for the mapping in the respective fields.
The following figure illustrates the 1:1 NAT configuration.
Configure Edge Overrides
Optionally, at the edge level, you can override the inherited profile firewall rules. To override firewall rules at the Edge level, click New Rule under Firewall Rules, and follow the steps in Configure Firewall Rules. The override rules will appear in the Edge Overrides area. The Edge override rules will take priority over the inherited profile rules for the Edge. Any Firewall override match value that is the same as any Profile Firewall rule will override that Profile rule.
Override Stateful Firewall Settings
Optionally, at the edge level, you can override the Stateful Firewall settings by selecting the Enable Edge Override checkbox in the Stateful Firewall Settings area. For more information about Stateful Firewall settings, see Configuring Stateful Firewall Settings.
Override Network and Flood Protection Settings
Optionally, at the edge level, you can override the network and flood protection settings by selecting the Enable Edge Override checkbox in the Network and Flood Protection Settings area. For more information about network and flood protection settings, see Configuring Network and Flood Protection Settings.
Override Edge Access Configuration Settings
Optionally, at the edge level, you can also override the edge access configuration by selecting the Enable Edge Override checkbox in the Edge Access area. For more information about edge access configuration, see Configuring Edge access.
Related Links