While configuring firewall rules, you can select the existing object groups to match the source or destination. This includes the range of IP addresses or port numbers available in the object groups.

For more information on Firewall Rules, see Configure Firewall Rules.

You can configure the firewall rules in Classic or New Orchestrator UI. The following procedure describes the configuration with Classic Orchestrator UI. To configure in New Orchestrator UI, see Configure Firewall with New Orchestrator UI.


  1. In the Enterprise portal, click Configure > Profiles.
  2. Select a profile from the list and click the Firewall tab.
  3. Click New Rule or Actions > New Rule.
  4. Enter a name for the Firewall rule.
  5. In the Match area, choose the IP address type. By default, IPv4 address type is selected.
    Note: To configure firewall rules with Mixed or IPv6 address type, you must use the New Orchestrator UI. For more information, see Configure Firewall Rule with New Orchestrator UI.
  6. Click Object Group for the source.
  7. Select the relevant Address Group and Port Group from the drop-down list.
    If the selected address group contains any domain names, they would be ignored when matching for the source.
  8. If required, you can select the Address and Port Groups for the destination as well.
    Based on Address Type selected, the behavior will be as follows:
    • IPv4 Type Rule matches only the IPv4 addresses available in the selected Address Group.
    • IPv6 Type Rule matches only the IPv6 addresses available in the selected Address Group.
    • Mixed Type Rule matches both the IPv4 and IPv6 addresses in the selected Address Group.
  9. Choose Actions as required and click OK.


The Firewall rules that you create for a profile are automatically applied to all the Edges associated with the profile. If required, you can create additional rules specific to the Edges.
  1. Navigate to Configure > Edges, select an Edge, and click the Firewall tab.
  2. Click New Rule or Actions > New Rule.
  3. Define the rule with relevant object groups and other actions.

Edge-level Firewall Rule displays the rules inherited from profile and they are read only. If you want to override any Profile-level rule, then add a new rule. The added rule appears on top of the table and it can be manipulated by modifying or deleting, if needed.

Note: By default, the firewall rules are assigned to the global segment. If required, you can choose a segment from the Select Segment drop-down and create firewall rules specific to the selected segment.

What to do next

You can modify the object groups with additional IP addresses and port numbers. The changes are automatically included in the Firewall rules that use the object groups.