Firewall Management

CONFIGURE > FIREWALL > Management

Navigate to the Firewall Management page, CONFIGURE > FIREWALL > Management, from here you can:

  • Add a new firewall zone.

  • Add a firewall service.

  • Edit a firewall zone - manage the zone setup.

  • Manage port forwarding.

  • Manage custom rules for firewalls.

Firewall Management main page

Firewall Zone Settings

To change firewall management settings navigate to CONFIGURE > FIREWALL > Management.

Note:The application of any custom rules will result in Permit All Traffic being enabled in a zone.

You can inspect details of any zone by clicking the Expand icon to the right of the zone. Once expanded, you can click Edit Zone to change settings for a particular zone.

The Edit Zone page has three tabs. The ZONE SETUP page allows you to:

  • Modify the Name of the zone.

  • Add a Description for this zone.

  • Permit all Traffic.

  • Masquerade Traffic.

  • Select Physical Interfaces.

  • Manage Permitted Services by clicking on Plus or Minus next to each.

Tip: You can use the Filter Interfaces and Filter Available Services text boxes to limit the list content that is displayed.

Port Forwarding

The MANAGE PORT FORWARDING tab allows you to add, edit, and delete forwarding rules for the particular zone you are editing.

Manage Custom Rules

Note:The application of any custom rules will result in Permit All Traffic being enabled in a zone.

The third tab, MANAGE CUSTOM RULES, allows you to add, edit , and delete custom firewall rules for the zone you are editing. These custom rules continue to exist after reboots, upgrades, and power cycles.

These rules are prioritized by the order they are added.

To add a new custom rule:

  1. Click Add custom rule.
  2. Enter an optional description for this rule.
  3. Enter the rule content, custom rule content formatted with firewall-cmd syntax.
  4. Click Apply.

Note:All rules will be wrapped as follows:
firewall-cmd --permanent --zone=lan --add-rich-rule=RULE CONTENT

Firewall - Source Address Filtering

Source address filtering provides an interface by which users can permit access to services (for example, SSH, HTTPS, SNMP) on a device from specific source addresses.

This feature removes generic/global permitted services within firewall zones, and instead allows users to permit a services on a specified source address (or address range) within the firewall zone. Source address filters configured in a zone apply to all the interfaces within that zone.

To access the feature, navigate to the Configure > Firewall > Management page through the WebUI then select the current source address filter configuration under the services in zone tab for each zone.

To add a source address filter for a zone, select the edit zone option under the desired zone, which opens the edit zone page where source address filters can be configured.

You can choose to enable permit all traffic, which will permit all traffic in the zone
(unless there is a custom rule configured overwriting this behavior).

If the permit all traffic option is disabled, you will have the option to configure permitted services for any allowed source address. Permitted services can be added or removed from each source address filter under the "Services" field.

Source address filters can be added, duplicated or deleted by using the buttons below and to the right of the filter. Any new changes to the source address filters can be seen under the services in zone tab for each zone on the main firewall management page.

Firewall Source Address Bulk Services

Configure > FIREWALL > Management > New Firewall Zone

PERMITTED SERVICES

The firewall source ip field allows you to assign permitted services to specified source ip addresses in bulk rather than needing individual rich rules to add each specific service. This change allows you to easily target specific IP Addresses with permitted services. Enter the target IP address, select services from the drop-down list and click Apply.