Add a new rule

• Create a new rule. Click New > New Firewall Rule.
• Import a rule from an XML file. Click New > Import From File.
• Copy and then modify an existing rule. Right-click the rule in the Firewall Rules list and then click Duplicate. To edit the new rule, select it and then click Properties.

Select the behavior and protocol of the rule

1. Enter a Name and Description for the rule.

   Tip It is good practice to document all firewall rule changes in the Description field of the firewall rule. Make a note of when and why rules were created or deleted for easier firewall maintenance.

2. Select the Action that the rule should perform on packets. You can select from one of the following five actions:

   Note Only one rule action is applied to a packet, and rules (of the same priority) are applied in the order of precedence listed below.

   • The rule can allow traffic to bypass the firewall. A bypass rule allows traffic to pass through the firewall and intrusion prevention engine at the fastest possible rate. Bypass rules are meant for traffic using media intensive protocols where filtering may not be desired or for traffic originating from trusted sources.

     Tip For an example of how to create and use a bypass rule for trusted sources in a policy, see Allow trusted traffic to bypass the firewall.

     The "bypass" action on firewall rules differs from a Force Allow rule in the following ways:
     • Unlike Force Allow, bypass will not automatically allow the responses on a TCP connection when firewall stateful configuration is on (see below for more information).

     Note Bypass rules are unidirectional. Explicit rules are required for each direction of traffic. If you plan to use a bypass rule to skip intrusion prevention rule processing on incoming traffic to TCP destination port N and firewall stateful configuration is set to perform stateful inspection on TCP, you must create a matching outgoing rule for source port N to allow the TCP responses. (This is not required for Force Allow rules because force-allowed traffic is still processed by the stateful engine.)

     Tip You can achieve maximum throughput performance on a bypass rule with the following settings: Priority: Highest Frame Type: IP Protocol: TCP, UDP, or other IP protocol. (Do not use the "Any" option.) Source and Destination IP and MAC: all "Any" If the protocol is TCP or UDP and the traffic direction is "incoming", the destination ports must be one or more specified ports (not "Any"), and the source ports must be "Any". If the protocol is TCP or UDP and the traffic direction is "outgoing", the source ports must be one or more specified ports (Not "Any"), and the destination ports must be "Any". Schedule: None.

   • The rule can log only. This action will make entries in the logs but will not process traffic.
   • The rule can force allow defined traffic (it will allow traffic defined by this rule without excluding any other traffic.)
   • The rule can deny traffic (it will deny traffic defined by this rule.)
   • The rule can allow traffic (it will exclusively allow traffic defined by this rule.)

   Note If you have no allow rules in effect on a computer, all traffic is permitted unless it is specifically blocked by a deny rule. Once you create a single allow rule, all other traffic is blocked unless it meets the requirements of the allow rule. There is one exception to this: ICMPv6 traffic is always permitted unless it is specifically blocked by a deny rule.

3. Select the Priority of the rule. The priority determines the order in which rules are applied. If you have selected "force allow", "deny", or "bypass" as your rule action, you can set a priority of 0 (low) to 4 (highest). Setting a priority allows you to combine the actions of rules to achieve a cascading rule effect.

   Note Log only rules can only have a priority of 4, and Allow rules can only have a priority of 0.

   Note High priority rules get applied before low priority rules. For example, a port 80 incoming deny rule with a priority of 3 will drop a packet before a port 80 incoming force allow rule with a priority of 2 gets applied to it.

   For detailed information on how actions and priority work together, see Firewall rule actions and priorities.
4. Select a Packet Direction. Select whether this rule will be applied to incoming (from the network to the computer) or outgoing(from the computer to the network) traffic.

   Note An individual firewall rule only apply to a single direction of traffic. You may need to create incoming and outgoing firewall rules in pairs for specific types of traffic.

5. Select an Ethernet Frame Type. Select the Not checkbox if you want to filter anything but the frame type.The term "frame" refers to Ethernet frames, and the available protocols specify the data that the frame carries. If you select "Other" as the frame type, you need to specify a frame number.

6. Note IP covers both IPv4 and IPv6. You can also select IPv4 or IPv6 individually

   Note On Solaris, Deep Security Agents will only examine packets with an IP frame type, and Linux Agents will only examine packets with IP or ARP frame types. Packets with other frame types will be allowed through. Note that the Virtual Appliance does not have these restrictions and can examine all frame types, regardless of the operating system of the virtual machine it is protecting.

   If you select the Internet Protocol (IP) frame type, you need to select the transport Protocol. If you select "Other" as the protocol, you also need to enter a protocol number.

Select a Packet Source and Packet Destination

Tip You can use a previously created IP, MAC or port list.

Note ARP and REVARP frame types only support using MAC addresses as packet sources and destinations.

• URG
• ACK
• PSH
• RST
• SYN
• FIN

IP Addresses

• Any: No address is specified so any computer can be either a source or destination
• Single IP: One computer identified using its IP address
• Masked IP: All computers that share the same subnet mask
• Range: All computers within the range of IP addresses
• IP(s): A list of several computers that do not have consecutive IP addresses
• IP List: A list of computers that you defined on Policies > Common Objects > Lists > IP Lists

MAC Address

• Any: No MAC address was specified, so the rule applies to all addresses
• Single MAC: Rule applies to a specific MAC address
• MAC(s): Rule applies to the MAC addresses specified here
• MAC List: Enables you to select a value that you defined on the Policies > Common Objects > Lists > MAC Lists page.

Port

• Any: Rule applies to all ports.
• Port(s): Rule applies to the specified ports.
• Port List: Enables you to select a value that you defined on the Policies > Common Objects > Lists > Port Lists page.

Configure rule events and alerts

Note Note that rules using the "Allow", "Force Allow" and "Bypass" actions will not log any events. because they would overwhelm the database.

Alerts

Note Only firewall rules with an action set to "Deny" or "Log Only" can be configured to trigger an alert. (This is because alerts are triggered by counters that are incremented with data from log files.)

Set a schedule for the rule

Assign a context to the rule

Tip For an example of a policy that implements firewall rules using contexts, look at the properties of the "Windows Mobile Laptop" Policy.

See policies and computers a rule is assigned to

Export a rule

Delete a rule

Note Firewall Rules that are assigned to one or more computers or that are part of a policy cannot be deleted.