All the Edges inherit the firewall rules and Edge access configurations from the associated Profile. Under the Firewall tab of the Edge Configuration dialog, you can view all the inherited firewall rules in the Rule From Profile area. Optionally, at the Edge-level, you can also override the Profile Firewall rules and Edge access configuration.



As an Enterprise Administrator, you can configure Port Forwarding and 1:1 NAT firewall rules individually for each Edge by following the instructions on this page.

By default, all inbound traffic will be blocked unless the Port Forwarding and 1:1 NAT Firewall Rules are configured. The outside IP will always be that of WAN IP or IP address from WAN IP subnet.

Port Forwarding and 1:1 NAT Firewall Rules

Note: You can configure Port Forwarding and 1:1 NAT rules individually only at the Edge level.

Port Forwarding and 1:1 NAT firewall rules gives Internet clients access to servers connected to an Edge LAN interface. Access can be made available through either Port Forwarding Rules or 1:1 NAT (Network Address Translation) rules.

Port Forwarding Rules

Port forwarding rules enable you to configure rules to redirect traffic from a specific WAN port to a device (LAN IP/ LAN Port) within the local subnet. Optionally, you can also restrict the inbound traffic by an IP or a subnet. Port forwarding rules can be configured with the Outside IP which is on the same subnet of the WAN IP. It can also translate outside IP addresses in different subnets than the WAN interface address if the ISP routes traffic for the subnet towards the SD-WAN Edge.

The following figure illustrates the port forwarding configuration.

In the Port Forwarding Rules section, you can configure port forwarding rules with IPv4 address by entering the following details.
Note: To configure port forwarding rules with IPv6 address, you must use the New Orchestrator UI. For more information, see Configure Firewall with New Orchestrator UI.
  1. In the Name text box, enter a name (optional) for the rule.
  2. From the Protocol drop-down menu, select either TCP or UDP as the protocol for port forwarding.
  3. From the Interface drop-down menu, select the interface for the inbound traffic.
  4. In the Outside IP text box, enter the IPv4 or IPv6 address using which the host (application) can be accessed from the outside network.
  5. In the WAN Ports text box, enter a WAN port or a range of ports separated with a dash (-), for example 20-25.
  6. In the LAN IP and LAN Port text boxes, enter the IPv4 or IPv6 address and port number of the LAN, where the request will be forwarded.
  7. From the Segment drop-down menu, select a segment the LAN IP will belong to.
  8. In the Remote IP/subnet text box, specify an IP address of an inbound traffic that you want to be forwarded to an internal server. If you do not specify any IP address, then it will allow any traffic.

1:1 NAT Settings

These are used to map an Outside IP address supported by the SD-WAN Edge to a server connected to an Edge LAN interface (for example, a web server or a mail server). It can also translate outside IP addresses in different subnets than the WAN interface address if the ISP routes traffic for the subnet towards the SD-WAN Edge. Each mapping is between one IP address outside the firewall for a specific WAN interface and one LAN IP address inside the firewall. Within each mapping, you can specify which ports will be forwarded to the inside IP address. The '+' icon on the right can be used to add additional 1:1 NAT settings.

The following figure illustrates the 1:1 NAT configuration.

In the 1:1 NAT Rules section, you can configure 1:1 NAT rules with IPv4 address by entering the following details.
Note: To configure 1:1 NAT rules with IPv6 address, you must use the New Orchestrator UI. For more information, see Configure Firewall with New Orchestrator UI.
  1. In the Name text box, enter a name for the rule.
  2. In the Outside IP text box, enter the IPv4 or IPv6 address with which the host can be accessed from an outside network.
  3. From the Interface drop-down menu, select the WAN interface where the Outside IP address will be bound.
  4. In the Inside (LAN) IP text box, enter the actual IPv4 or IPv6 (LAN) address of the host.
  5. From the Segment drop-down menu, select a segment the LAN IP will belong to.
  6. Select the Outbound Traffic check-box, if you want to allow traffic from LAN Client to Internet being NATed to Outside IP address.
  7. Enter the Allowed Traffic Source (Protocol, Ports, Remote IP/Subnet) details for mapping in the respective fields.

Configure Edge Overrides

Optionally, at the Edge level, you can override the inherited profile firewall rules. To override firewall rules at the Edge level, click New Rule under Firewall Rules, and follow the steps in Configure Firewall Rules. The override rules will appear in the Edge Overrides area. The Edge override rules will take priority over the inherited profile rules for the Edge. Any Firewall override match value that is the same as any Profile Firewall rule will override that Profile rule.

Override Stateful Firewall Settings

Optionally, at the Edge level, you can override the Stateful Firewall settings by selecting the Enable Edge Override check-box in the Stateful Firewall Settings area. For more information about Stateful Firewall settings, see Configuring Stateful Firewall Settings.

Override Network and Flood Protection Settings

Optionally, at the Edge level, you can override the network and flood protection settings by selecting the Enable Edge Override check-box in the Network and Flood Protection Settings area. For more information about network and flood protection settings, see Configuring Network and Flood Protection Settings.

Override Edge Access Configuration Settings

Optionally, at the Edge level, you can also override the Edge access configuration by selecting the Enable Edge Override check-box in the Edge Access area. For more information about Edge access configuration, see Configuring Edge access.

Related Links