Use to:
• Enable/disable SMTP, POP3, IMAP, FTP and HTTP scanning
• Deactivate rule
• Delete rule
• Change rule order
• Append rule (zone to zone)
• Insert rule
• View selected firewall rules by zones
• Select display columns
Note
From version 9.5.3.07, Cyberoam does not support of DNAT policy. On upgrading to this version, Cyberoam will preserve all the DNAT policy but will not allow to modify them. This will not affect functioning of Cyberoam.
To stop the usage of DNAT policy:
1. Create Virtual host to forward the request i.e. for the same service/server for which DNAT policy is created 2. Create firewall rule for Virtual host
3. Delete firewall rule for DNAT policy
Firewall rule for Virtual host will take precedence if firewall rule for DNAT policy is not deleted.
Select Firewall Æ Manage Firewall to display the list of rules
Page displays total number of configured firewall rules and number of configured firewall rules in the selected zone if you have selected any zone using Select Zones button
Screen components
Append Rule button - Click to add zone to zone rule
Select Column button – Click to customize the number of columns to be displayed on the page
Select Zones - Click and select zones to view firewall rules of the selected zones only Subscription icon - Indicates subscription module. To implement the functionality of the subscription module you need to subscribe the respective module. Click to open the licensing page.
Enable/Disable rule icon - Click to activate/deactivate the rule. If you do not want to apply the firewall rule temporarily, disable rule instead of deleting.
Green – Active Rule Red – De-active Rule
Edit icon - Click to edit the rule. Refer to Edit Firewall rule for more details.
Insert icon - Click to insert a new rule before the existing rule. Refer to Define Firewall Rule for more details.
Move icon - Click to change the order of the selected rule. Refer to Change the firewall rule order for details.
Delete icon - Click to delete the rule. Refer to Delete Firewall Rule for more details.
- Virtual host. It is the loopback firewall rule automatically created for virtual host.
Update Rule
Select Firewall Æ Manage Firewall to view the list of rules. Click the rule to be modified.
Screen- Edit Firewall Rule
Screen Elements Description Matching Criteria
Source Displays source zone and host IP address /network address to which the rule applies.
Zone Type cannot be modified
Modify host/network address if required
Host dropdown list also displays dynamic hosts and host groups which are automatically added on creation of VPN Road warrior connections. It will also display the default hosts created for road warrior connection - ##ALL_RW,
##ALL_IPSEC_RW
To configure host group based firewall rule you need to define host group. Under Select Address dropbox, click Create Host Group to define host group from firewall rule itself or you can also define from Firewall Æ Host Group Æ Create Under Select Address dropbox, click Add Host to define host group from firewall rule itself rule itself or you can slo define from Firewall Æ Host Æ Add Host
Check Identity (Only if source zone is LAN or DMZ or VPN)
Check identity allows you to check whether the specified user/user group from the selected zone is allowed the access of the selected service or not.
Click Enable to check the user identity
Destination Displays destination zone and host IP address /network address to which the rule applies.
Zone Type cannot be modified
Modify host/network address if required.
Host dropdown list also displays dynamic hosts and host groups which are automatically added on creation of VPN Road warrior connections. It will also display the default hosts created for road warrior connection - ##ALL_RW,
##ALL_IPSEC_RW
To define host group based firewall rule you need to define host group. Under Select Address dropbox, click Create Host Group to define host group from firewall rule itself or you can also define from Firewall Æ Host Group Æ Create Under Select Address dropbox, click Add Host to define host group from firewall rule itself rule itself or you can also define from Firewall Æ Host Æ Add Host Service/Service
group
Services represent types of Internet data transmitted via particular protocols or applications.
Displays service/service group to which the rule applies, modify if required
If Virtual host is selected as Destination host, you will be able to configure services only if the selected virtual host is not port forwarded.
Under Select Here dropbox, click Create Service Group to define service group from firewall rule itself rule itself or you can also define from Firewall Æ Service Æ Create Service
Cyberoam provides several standard services and allows creating the custom services also. Under Select Here dropbox, click Create Service to define service from firewall rule itself rule itself or you can also define from Firewall Æ Service Æ Create Service
Protect by configuring rules to
• block services at specific zone
• limit some or all users from accessing certain services
• allow only specific user to communicate using specific service Apply Schedule Displays rule’s schedule, modify if required
Firewall Action When Criteria Match
Action Displays rule action, modify if required Accept – Allow access
Drop – Silently discards i.e. without sending ‘ICMP port unreachable’ message to the source
Reject – Denies access and sends ‘ICMP port unreachable’ message to the source Apply NAT (Only
if Action is
‘ACCEPT’)
Displays the NAT policy applied to the rule, modify if required
It allows access but after changing source IP address i.e. source IP address is substituted by the specified IP address in the NAT policy.
You can create NAT policy from firewall rule itself or you can also define from Firewall Æ NAT Policy Æ Create
This option is not available if Cyberoam is deployed as Bridge Advanced Settings
Click to apply different protection settings to the traffic controlled by firewall. You can:
• Enable load balancing between multiple links
• Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP policies
• Apply bandwidth policy
• Configure content filtering policies Policy Settings
IDP Policy Displays IDP policy for the rule, modify if required
To use IDP, you have to subscribe for the module. Refer to Licensing for more details.
Refer to IDP, Policy for details on creating IDP policy Internet Access
Policy
(Only if source zone is LAN)
Displays Internet access policy for the rule, modify if required Internet Access policy controls web access.
Refer to Policies, Internet Access Policy for details on creating Internet Access policy.
Bandwidth Policy Displays Bandwidth policy for the rule, modify if required. Only the Firewall Rule based Bandwidth policy can be applied.
Bandwidth policy allocates & limits the maximum bandwidth usage of the user.
Refer to Policies, Bandwidth Policy for details on creating Bandwidth policy.
Route Through Gateway
Displays routing policy, modify if required
Can be applied only if more than one gateway is defined.
This option is not available if Cyberoam is deployed as Bridge Refer to Multiple Gateway Implementation Guide for more details.
Virus & Spam Settings
Scan Protocol(s) Displays protocols for which the virus and spam scanning is to be enabled, modify if required
By default, HTTP scanning is enabled.
To implement Anti Virus and Anti Spam scanning, you have to subscribe for the Gateway Anti Virus and Anti Spam modules individually. Refer to Licensing for
more details.
Refer to Anti Virus Implementation Guide and Anti Spam Implementation Guide for details.
Log Traffic Click to enable traffic logging for the rule
Make sure, firewall rule logging in ON/Enable from the Logging Management. Refer to Cyberoam Console Guide, Cyberoam Management for more details.
To log the traffic permitted and denied by the firewall rule, you need to ON/Enable the firewall rule logging from the Web Admin ConsoleÆFirewall rule and from the Telnet ConsoleÆCyberoam Management. Refer to Cyberoam Console Guide for more details.
Refer to Appendix B - Network Traffic Logging Entry for more details.
Description Displays full description of the rule, modify if required Save button Saves the rule
Table – Edit Firewall Rule
Change Firewall Rule order
Rule order defines the rule processing priority. When the rules are applied, they are processed from the top down and the first suitable rule found is applied.
Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a general rule might allow a packet that you specifically have a rule written to deny later in the list. When a packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest of the rules in the list.
Select Firewall Æ Manage Firewall
Click the move button against the rule whose order is to be changed
Select Before or After as per the need
Click the rule to be moved and then click where it is to be moved.
Click Done to save the order
Append rule
Append Rule adds the new rule above the default rules if zone-to-zone rule set exists else append new rule as new zone-to-zone rule set in the end.
For example, consider the screen given below. If the new rule is for DMZ to LAN then a new rule set DMZ – LAN is created at the end and rule is added to it. If the new rule is for LAN to WAN then rule will be added above Rule ID 4, as Rule ID 3 and ID 4 are default rules.
Select Firewall Æ Manage Firewall Rules and click Append Rule
Customize Display Columns
By default, Manage Firewall Rules page displays details of the rule in the following eight columns: ID, Enable, Source, Identity, Destination, Service, Action and Manage. You can customize the number of columns to be displayed as per your requirement.
Select Firewall Æ Manage Firewall to open the manage page.
Click Select Columns. It opens the new window. ‘Available Columns’ list displays the columns that can be displayed on the page. Click the required column and use Right arrow button to move the selected column to the ‘Selected Columns’ list and Click Done
Screen – Customized Screen Display of Manage Firewall Rules page
Delete Firewall Rule
Select Firewall Æ Manage Firewall Rules and click the delete icon against the rule to deleted
Screen - Delete Firewall rule
Note
Default rules cannot be deleted or deactivated.