Use to:
• Enable/disable SMTP, POP3, IMAP and HTTP scanning
• Deactivate rule
• Delete rule
• Change rule order
• Append rule (zone to zone)
• Insert rule
• Select display columns
Select Firewall Æ Manage Firewall to display the list of rules
Screen components
Append Rule button - Click to add zone to zone rule
Select Column button – Click to customize the number of columns to be displayed on the page
Subscription icon - Indicates subscription module. To implement the functionality of the subscription module you need to subscribe the respective module. Click to open the licensing page.
Enable/Disable rule icon - Click to activate/deactive the rule. If you do not want to apply the firewall rule temporarily, disable rule instead of deleting.
Green – Active Rule Red – Deactive Rule
Edit icon - Click to edit the rule. Refer to Edit Firewall rule for more details.
Insert icon - Click to insert a new rule before the existing rule. Refer to Define Firewall Rule for more details.
Move icon - Click to change the order of the selected rule. Refer to Change the firewall rule order for details.
Delete icon - Click to delete the rule. Refer to Delete Firewall Rule for more details.
Update Rule
Select Firewall Æ Manage Firewall to view the list of rules. Click the rule to be modified.
Screen- Edit Firewall Rule
Screen Elements Description Matching Criteria
Source Displays source zone and host IP address /network address to which the rule applies.
Zone Type cannot be modified
Modify host/network address if required
To define host group based firewall rule you need to define host group.
Under Select Address, click Create Host Group to define host group from firewall rule itself or from Firewall Æ Host Group Æ Create
Under Select Address, click Add Host to define host group from firewall rule itself rule itself or from Firewall Æ Host Æ Add Host
Check Identity (Only if source zone is LAN or DMZ)
Check identity allows you to check whether the specified user/user group from the selected zone is allowed the access of the selected service or not.
Click Enable to check the user identity
Destination Displays destination zone and host IP address /network address to which the rule applies.
Zone Type cannot be modified
Modify host/network address if required.
To define host group based firewall rule you need to define host group.
Under Select Address, click Create Host Group to define host group from firewall rule itself or from Firewall Æ Host Group Æ Create
Under Select Address, click Add Host to define host group from firewall rule itself rule itself or from Firewall Æ Host Æ Add Host
Service/Service group
Services represent types of Internet data transmitted via particular protocols or applications.
Displays service/service group to which the rule applies, modify if required Under Select Here, click Create Service Group to define service group from firewall rule itself rule itself or from Firewall Æ Service Æ Create Service
Cyberoam provides several standard services and allows creating the custom services also. Under Select Here, click Create Service to define service from firewall rule itself rule itself or from Firewall Æ Service Æ Create Service
Protect by configuring rules to
• block services at specific zone
• limit some or all users from accessing certain services
• allow only specific user to communicate using specific service
Apply Schedule Displays rule’s schedule, modify if required Firewall Action When Criteria Match
Action Displays rule action, modify if required Accept – Allow access
Drop – Silently discards i.e. without sending ‘ICMP port unreachable’
message to the source
Reject – Denies access and sends ‘ICMP port unreachable’ message to the source
Apply Source NAT (Only if Action is
‘ACCEPT’)
Displays the SNAT policy applied to the rule, modify if required
It allows access but after changing source IP address i.e. source IP address is substituted by the specified IP address in the SNAT policy.
You can create SNAT policy from firewall rule itself or from Firewall Æ SNAT Policy Æ Create
This option is not available if Cyberoam is deployed as Bridge Advanced Settings
Click to apply different protection settings to the traffic controlled by firewall. You can:
• Enable load balancing between multiple links
• Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP policies
• Apply bandwidth policy
• Configure content filtering policies Destination NAT Settings
Destination NAT policy
Displays DNAT policy applied, modify if required
DNAT rule tells the firewall to forward the requests from the specified machine and port to the specified machine and port.
Under Select Here, click Create DNAT Policy to define DNAT policy from firewall rule itself rule itself or from Firewall Æ DNAT Policy Æ Create
This option is not available if Cyberoam is deployed as Bridge Policy Settings
IDP Policy Displays IDP policy for the rule, modify if required
To use IDP, you have to subscribe for the module. Refer to Licensing for more details.
Refer to IDP, Policy for details on creating IDP policy Internet Access
Policy
(Only if source zone is LAN)
Displays Internet access policy for the rule, modify if required Internet Access policy controls web access.
Refer to Policies, Internet Access Policy for details on creating Internet Access policy.
Bandwidth Policy Displays Bandwidth policy for the rule, modify if required. Only the Firewall Rule based Bandwidth policy can be applied.
Bandwidth policy allocates & limits the maximum bandwidth usage of the user.
Refer to Policies, Bandwidth Policy for details on creating Bandwidth policy.
Route Through Gateway
Displays routing policy, modify if required
Can be applied only if more than one gateway is defined.
This option is not available if Cyberoam is deployed as Bridge Refer to Multiple Gateway Implementation Guide for more details.
Virus & Spam Settings
Scan Protocol(s) Displays protocols for which the virus and spam scanning is to be enabled, modify if required
By default, HTTP scanning is enabled.
To implement Anti Virus and Anti Spam scanning, you have to subscribe for the Gateway Anti Virus and Anti Spam modules individually. Refer to Licensing for more details.
Refer to Anti Virus Implementation Guide and Anti Spam Implementation Guide for details.
Log Traffic Click to enable traffic logging for the rule
Make sure, firewall rule logging in ON/Enable from the Logging Management. Refer to Cyberoam Console Guide, Cyberoam Management for more details.
To log the traffic permitted and denied by the firewall rule, you need to ON/Enable the firewall rule logging from the Web Admin ConsoleÆFirewall rule and from the Telnet ConsoleÆCyberoam Management. Refer to Cyberoam Console Guide for more details.
Refer to Appendix B - Network Traffic Logging Entry for more details.
Description Displays full description of the rule, modify if required Save button Saves the rule
Table – Edit Firewall Rule
Change Firewall Rule order
Rules are ordered by their priority. When the rules are applied, they are processed from the top down and the first suitable rule found is applied.
Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a general rule might allow a packet that you specifically have a rule written to deny later in the list. When a packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest of the rules in the list.
Select Firewall Æ Manage Firewall
Click the move button against the rule whose order is to be changed
Select Before or After as per the need
Click the rule to be moved and then click where it is to be moved.
Click Done to save the order
Append rule
Append Rule adds the new rule above the default rules if zone-to-zone rule set exists else append new rule as new zone-to-zone rule set in the end.
For example, consider the screen given below. If the new rule is for DMZ to LAN then a new rule set DMZ – LAN is created at the end and rule is added to it. If the new rule is for LAN to WAN then rule will be added above Rule ID 4 as Rule ID 3 and ID 4 are default rules.
Select Firewall Æ Manage Firewall Rules and click Append Rule
Refer to Define Firewall Rule for more details.
Change Display Columns
By default, Manage Firewall Rules page displays details of the rule in the following eight columns: ID, Enable, Source, Identity, Destination, Service, Action and Manage. You can customize the number of columns to be displayed as per your requirement.
Screen – Default Screen Display of Manage Firewall Rules page Select Firewall Æ Manage Firewall to open the manage page.
Click Select Columns
It opens the new window. ‘Available Columns’ list displays the columns that can be displayed on the page.
Click the required column and use Right arrow button to move the selected column to the ‘Selected Columns’ list
Click Done
Screen – Customized Screen Display of Manage Firewall Rules page
Delete Firewall Rule
Select Firewall Æ Manage Firewall Rules and click the delete icon against the rule to deleted
Screen - Delete Firewall rule
Note
Default rules cannot be deleted or deactivated.