While configuring firewall rules at Profile and Edge level, you can select the existing object groups to match the source or destination. You can define the rules for a range of IP addresses or a range of TCP/UDP/ICMPv4/ICMPv6 ports, by including the object groups in the rule definitions.

At the Profile level, to configure Firewall Rule with Object Group, perform the following steps:

Procedure

  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles. The Profiles page displays the existing Profiles.
  2. Select a Profile to configure a firewall rule, and click the Firewall tab.
    From the Profiles page, you can navigate to the Firewall page directly by clicking the View link in the Firewall column of the Profile.
  3. Go to the Configure Firewall section and under Firewall Rules, click + NEW RULE. The Configure Rule dialog box appears.
  4. In the Rule Name text box, enter a unique name for the Rule. To create a firewall rule from an existing rule, select the rule to be duplicated from the Duplicate Rule drop-down menu.
  5. In the Match area, configure the match conditions for the rule:
    1. Choose the IP address type for the rule. By default, IPv4 and IPv6 address type is selected. You can configure the Source and Destination IP addresses according to the selected Address Type.
    2. From the Source drop-down menu, select Object Groups.
    3. Select the relevant Address Group and Service Group from the drop-down menu. If the selected address group contains any domain names, they would be ignored when matching for the source.
    4. If required, you can select the Address and Service Groups for the destination as well.
      Based on Address Type selected, the behavior will be as follows:
      • IPv4 Type Rule matches only the IPv4 addresses available in the selected Address Group.
      • IPv6 Type Rule matches only the IPv6 addresses available in the selected Address Group.
      • Mixed Type Rule matches both the IPv4 and IPv6 addresses in the selected Address Group.
    5. Choose Firewall actions as required and click Create.
      For more information on the match and action parameters, see Configure Firewall Rule.
    6. Click Save Changes.

Results

The Firewall rules that you create for a profile are automatically applied to all the Edges associated with the profile. If required, you can create additional rules specific to the Edges or modify the inherited rule by navigating to Configure > Edges, select an Edge, and click the Firewall tab.
The Rules From Profile section displays the rules inherited from profile and they are read only. If you want to override any Profile-level rule, then add a new rule. The added rule appears in the table above the Rules From Profile section and it can be manipulated by modifying or deleting, if needed.
Note: By default, the firewall rules are assigned to the global segment. If required, you can choose a segment from the Segment drop-down and create firewall rules specific to the selected segment.

You can modify the object groups with additional IP addresses, port numbers, service types and codes. The changes are automatically included in the Firewall rules that use the object groups.