• Cloud Edge Secure Access
• Welcome to SonicWall Cloud Edge!
• Prerequisites
• Installation
  • Accessing the Client Management Console
  • Installation Methods
• Networks
  • Understanding Networks
  • SDP Networks
  • Regions and Gateways
    • Adding a region
    • Adding a gateway
  • Connecting Infrastructure
    • Prerequisites
    • Site-to-Site Connections
    • IPsec Tunnel
    • WireGuard Connector
    • Connect On-Prem Resources
      • Firewalls
        • SonicWall
    • Connect Cloud Resources
      • Amazon AWS
        • AWS Virtual Gateway
        • AWS Transit Gateway
      • Alibaba Cloud
      • Microsoft Azure
      • Google Cloud Platform
      • Heroku Enterprise
      • IBM Cloud
      • Docker
• Groups and Members
  • Members
    • Inviting Members
    • Password Requirements
    • Managing Roles
  • Groups
    • Managing Groups
    • Identity Provider Groups
  • Identity Providers (IdP)
    • Integrate Identity Providers
    • Azure AD
      • Azure Active Directory (SAML 2.0)
      • Azure Active Directory
    • Google Suite
      • Google Services
      • Google Apps (SAML 2.0)
    • On-Premises Active Directory
    • SAML 2.0
      • Generic SAML
      • Active Directory Federation Services (ADFS)
      • Auth0
      • Okta
      • OneLogin
      • PingIdentity
      • JumpCloud
• Securing the Platform
  • Securing Networks
    • Segmenting Networks
    • Device Posture Check
    • Network Traffic Control
    • Firewall-as-a-Service
  • Securing User Access
    • Multi-Factor Authentication
      • MFA Authentication
      • DUO Security
    • Agent-less Access
      • Zero Trust Application
        • HTTP/HTTPS
        • RDP (Remote Desktop Protocol)
        • SSH (Secure Shell)
        • VNC (Virtual Network Computing)
      • Zero Trust Policies and Rules
    • Agent-based Access
      • SonicWall Agents
        • Downloading and Installation
      • Agents Configuration
        • User-Groups Policies
        • Managing Configurations
        • General Configurations
        • Network Configuration
        • OS-Specific Configurations
• Monitoring
  • Activity Tracking
    • Activities and Logs
    • Member Devices
  • Monitoring Dashboard
  • Integrations
    • Amazon S3
    • Azure Sentinel
    • Splunk Cloud
• Compliance
  • HIPAA
  • GDPR
  • SOC 2 Type 2
• SonicWall Support
  • About This Document

Firewall-as-a-Service

This article describes why and how you can protect and limit access to your resource(s) by defining policies and rules based on user groups, origin and/or destination IPs, ports, and/or network protocols.

It isn’t just about controlling your inbound or outbound network traffic but being able to manage your entire network traffic based on user-based and network-based Rules that define which applications, resources, regions, and data-centers can be accessed through encrypted tunnels.

By enabling the Firewall you'll secure and control the entire traffic on one unified Software-Defined Perimeter (SDP).

For example, you can allow Groups of your users (each with their own policies and rules) to specific parts of a certain network, only using a specific protocol and only when coming from your internal subnet IP range.

Activate the Firewall

You can activate a set of Rules and Policies per SASE Network. In case you have more than one Network in your tenant you can activate the Firewall on some or all of your Networks.

In order to activate the Firewall on an existing Network:

1. Navigate to Network -> Firewall.
2. In the Firewall screen, you will see all the Networks that you've created in your tenant.

3. Select the appropriate Network, set the Network's Default Action, and turn on the toggle.

   The Default Action defines how to treat connections and traffic which doesn't have a specific Network Policy Rule.

   Allow - All traffic will be allowed to all connected resources unless a specific Rule defines a different action.

   Deny - All traffic will be blocked to all connected resources unless a specific Rule defines a different action.

4. Click on Apply Changes.

Add a Rule

The Firewall policy for a network is a list of Rules that defines the access and traffic routing policies. You can create multiple rules that will apply specific policies for specific User Groups, Resources, and Protocols as well as wide policies that will be applied to the entire Network traffic (i.e block all traffic on a specific port).

To create a new Rule:

1. Navigate to Networks -> Firewall
2. Click on (+) Add New Rule
3. Select the Network where the Rule should be added
4. Provide an indicative Name
5. Select the Action type
6. Add Source and Destination Objects the rule will apply to

7. Add Services the rule will apply to

   The Source and Destination define the conditions that have to be met in order for the Action to be applied to the traffic.

   There are three types of Objects that can be used in the Source and Destination conditions:

   Any - All traffic (any address or user).

   Groups or Members - All traffic routed from/to a specific Member or Users Group

   Addresses - Traffic routed from/to an IP Address, Subnet, or List of IPs.

   For services, there are two types:

   Any - All traffic on all protocols and ports

   Services - Traffic routed on a specific Protocol or Ports.

8. Drag the new Rule to the right Priority.

   Rules are applied based on the Priority of the Rule, from the top down (lowest number to highest). Should different Rules overlap, the Rule with the Lower Priority Number will take precedence (i.e. Rule with Priority #2 will take precedence over Rule with Priority #5)

9. Click on Apply Changes.

   

Create Objects

When configuring Firewall rules you'll be defining Rules that are based on Objects and User Groups.

• The Objects will be used in order to specify IP Addresses, Subnets, Network Protocols, and Ports.

• The User Groups will be used in order to manage access of users to/from Objects and can be managed via the Groups tab.

Addresses:

The Addresses Object allows you to define subnets, IP lists, and specific IP addresses that can be used in the Firewall rules.

To create a new Address Object:

1. Navigate to Objects -> Addresses

2. Click on (+) Add Address

3. Provide an indicative Name and Description

4. Select the type of Object (IP, Subnet, or List) and provide the values

5. Click on Add Address

   

Services:

The Services Object allows you to define Network Protocols, Port lists, and specific Ports that can be used in the Firewall rules.

To create a new Services Object:

1. Navigate to Objects -> Services.

2. Click on (+) Add Service.

3. Provide an indicative Name and Description.

4. Select the Protocol, type of Service (Port, Range, or List) and provide the values.

5. Click on Add Service.