SonicOS 7 Rules and Policies

Configuring Access Rules

To configure rules, the service or service group that the rule applies to must first be defined. If it is not, you can define the service or service group and then create one or more rules for it.

The following procedure describes how to add, modify, reset to defaults, or delete firewall rules for firewall appliances running SonicOS. For appliances running SonicOS, paginated navigation and sorting by column header is supported on the Access Rules screen. In the Access Rules table, you can click the column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table.

By hovering your mouse over entries on the Access Rules screen, you can display information about an object, such as an Address Object or Service.

IPv6 is supported for Access Rules. Filter for IPv6 Access Rules from the Access Rules Search drop-down menus. A list of results displays in a table.

Access Rules

From there you can click the Configure icon for the Access Rule you want to edit. The IPv6 configuration for Access Rules is almost identical to IPv4.

To configure an access rule

  1. Navigate to POLICY | Rules and Policies > Access Rules. The Access Rules page displays. The Access Rules page enables you to see multiple views of any Access Rule by clicking the associated arrow on the left side of the Access Rule table.
  2. From the default view, hover over the appropriate Access Rule and the Configure options appear on the right side. Click the Edit pencil icon to view the Source and Destination interfaces for which you are configuring the rule. The Editing Rule page for that interface pair displays.
  3. Or from the Access Rules table, click +Add at the bottom of the table. The Adding Rule dialog box displays.

    Add/Edit Access Rule

  4. In the initial view, add or edit the My Rule Name.
  5. You can provide a short description of your access rule in the Description area.
  6. Select an Action, whether to Allow, Deny, or Discard access.

    • Allow - As long as the Enable option is selected, your access rule is active.

    • Deny - The firewall denies all connections matching this rule and blocks the page specified and the action profile is served for web traffic. The firewall also resets the connections on both sides.

    • Discard - Firewall silently drops any packets matching this rule.

  7. Specify the IP Version, IPv4 or IPv6.
  8. Set your access rule's Priority. You can choose to Auto Prioritize, Insert at the End, or a Manual priority for your access rule.
  9. Specify when the rule is applied by selecting a schedule from the Schedule drop-down menu. If the rule is always applied On, select Always. If the schedule you want is not listed in the drop-down menu, click the pencil icon to the right of the menu and create a New Schedule Object. The Adding Schedule Object dialog appears.

  10. Enter the specifics that meet your scheduling requirements. Additional options appear depending on your selections. Click Save. Your custom scheduling option appears in the Schedule drop-down menu already selected.

  11. After you are satisfied with all Action settings, click the Enable option to activate the access rule.

Source / Destination

With the basis of the access rule established, you are now ready to assign specifics to your interface pair.

  1. In the Source/Destination tab, select the desired Source and Destination Zone/Interface options from the appropriate drop-down menus.

  • There are no default Zones or Interfaces. Any is supported for both Zone/Interface fields.
  • Select or create a Source network address object from the Address drop-down menu.
  • Select or create a Destination network address object from the Address drop-down menu.
  • For Port/Services, select or create a Service Object or Service Group in the Source column. When configured, the access rule filters traffic based on the source port defined in the selected Port/Services. The Port/Services selected must have the same protocol types as the ones selected in Destination Port/Services.
  • Click Show Diagram for a view of the connections you have created.
  • User & TCP/UDP

    1. Specify if this rule applies to all users or to an individual user or group of users in the Include drop-down menu. You can exclude users in the same way using the Exclude drop-down menu.
    2. To have the access rule time out after a period of TCP inactivity, set the amount of time, in minutes, in the TCP Inactivity Timeout (minutes) field. The default value is 15 minutes.
    3. To have the access rule time out after a period of UDP inactivity, set the amount of time, in minutes, in the UDP Inactivity Timeout (seconds) field. The default value is 30 seconds.
    4. Click Show Diagram for a view of the connections you have created.

    Security Profiles

    In the Decryption Services section:

    1. To disable Deep Packet Inspection (DPI) scanning on a per-rule basis, deselect DPI. This option is enabled by default.
    2. To disable client-side DPI-SSL scanning of traffic matching this rule, deselect Client DPI-SSL. Client DPI-SSL scanning inspects HTTPS traffic when clients on the appliance’s LAN access content located on the WAN.
    3. To disable server-side DPI-SSL scanning of traffic matching this rule, deselect Server DPI-SSL. Server DPI-SSL scanning inspects HTTPS traffic when remote clients connect over the WAN to access content located on the appliance’s LAN.

    Botnet / CC

    1. If you want to use the Botnet Filter, enable Botnet /CC. It is disabled by default.

    Geo-IP Filter

    To configure GeoIP settings

    1. Enable Geo-IP Filter to apply a filter to traffic matching this rule.
    2. For the Geo-IP Filter Mode, select Global to apply the entire Allowed Countries list for this rule, or select Custom to specify a customized Allowed Countries list for this rule. Enabling the Geo-IP Filter and the Custom Geo-IP Filter Mode enables the Allowed Countries and Blocked Countries fields.
      1. To select a country, click it in the Allowed Countries list and use the right arrow to move it to the Blocked Countries list.
      2. To remove a country from the Blocked Countries list, click it and use the left arrow to move it back to the Allowed Countries list.
    3. Select Block Unknown Countries to block traffic matching no known country.
    4. Click Show Diagram for a view of the connections you have created.

    Traffic Shaping

    Configure QoS (Quality of Service) if you want to apply DSCP Marking or 802.1p Marking Quality of Service management to all traffic governed by this rule.

    1. Under DSCP Marking, select the DSCP Marking action from the drop-down menu:

      • None: DSCP values in packets are reset to 0.
      • Preserve (default): DSCP values in packets remain unaltered.
      • Explicit: The Explicit DSCP Value drop-down menu displays. Select a numeric value between 0 and 63. Some standard values are:
      • 0 - Best effort/Default (default) 20 - Class 2, Silver (AF22) 34 - Class 4, Gold (AF41)
        8 - Class 1 22 - Class 2, Bronze (AF23) 36 - Class 4, Silver (AF42)
        10 - Class 1, Gold (AF11) 24 - Class 3 38 - Class 4, Bronze (AF43)
        12 - Class 1, Silver (AF12) 26 - Class 3, Gold (AF31) 40 - Express Forwarding
        14 - Class 1, Bronze (AF13) 27 - Class 3, Silver (AF32) 46 - Expedited Forwarding (EF)
        16 - Class 2 30 - Class 3, Bronze (AF33) 48 - Control
        18 - Class 2, Gold (AF21) 32 - Class 4 56 - Control
      • Map: The page displays, “Note: The QoS Mapping Settings on the POLICY | Firewall > QoS Mapping page will be used.”
        • The Allow 802.1p Marking to override DSCP values checkbox displays. Select it to allow DSCP values to be overridden by 802.1p marking. This option is disabled by default.
    2. Under 802.1p Marking select the 802.1p Marking action from the drop-down menu:

      • None (default): No 802.1p tagging is added to the packets.
      • Preserve: 802.1p values in packets remain unaltered.

      • Explicit: The Explicit 802.1p Value drop-down menu displays. Select a numeric value between 0 and 7:

      • 0 - Best effort (default) 4 - Controlled load
        1 - Background 5 - Video (<100ms latency)
        2 - Spare 6 - Voice (<10ms latency)
        3 - Excellent effort 7 - Network control
      • Map: The page displays, “Note: The QoS Mapping Settings on the POLICY | Firewall > QoS Mapping page will be used.”

    BWM (Bandwidth Management)

    Bandwidth Management (BWM) is disabled for both inbound and outbound traffic. You can enable Bandwidth Management with a Profile Object at OBJECT | Profile Objects > Bandwidth.

    To disable BWM for outbound (egress) and inbound (ingress) traffic

    1. Select Egress BWM. This option is disabled by default.

      1. Select the bandwidth object from the drop-down menu.

    2. To disable BWM for inbound traffic, select Ingress BWM. This option is disabled by default.

      1. Select a bandwidth object from the drop-down menu.

    3. To track bandwidth usage, select Track Bandwidth Usage. This option is disabled by default. To select this option, you must enable either or both of the BWM options.

    4. Click Show Diagram for a view of the connections you have created.

    Logging

    1. To disable logging for this rule, deselect Logging.
    2. To enable Flow Reporting enable the slider to allow flow reporting.
    3. Click Show Diagram for a view of the connections you have created.

    Optional Settings

    VoIP Transformations

    1. To enable SIP transformation on traffic matching this access rule, slide on the SIP toggle. This option is not selected by default.

      By default, SIP clients use their private IP address in the SIP (Session Initiation Protocol) Session Definition Protocol (SDP) messages that are sent to the SIP proxy. If your SIP proxy is located on the public (WAN) side of the firewall and the SIP clients are located on the private (LAN) side of the firewall, the SDP messages are not translated and the SIP proxy cannot reach the SIP clients. Enabling SIP transformation solves this problem by having SonicOS transform SIP messages going from LAN to WAN by changing the private IP address and assigned port.

    2. To enable H.323 transformation on traffic matching this access rule, slide on the H.323 toggle.

      H.323 is supported for both IPv4 and IPv6. However, H.323 does not function as a bridge between IPv4 and IPv6. If an ingress H.323 stream to the firewall is in IPv4 mode, on the egress side it stays in IPv4 mode. The same is true for IPv6 mode. The associated media sessions (like audio and video sessions) as hosted by the H.323 signaling stream has the same address mode as the H.323 signaling session. For example, if the H.323 signaling handshake is in IPv6 mode, all the RTP/RTCP streams generated from this H.323 signaling stream are in IPv6 mode as well.

    TCP Options

    Allow TCP Urgent Packets - Sets an action for TCP urgent packets. Enable to allow the packet, or clear the toggle to disallow the packet. The default is to clear the packet.

    SonicOS tags urgent packets to indicate the packet contains information of higher priority than other data found within the stream. The exact interpretation of an urgent packet is vague, therefore, end systems handle these urgent offsets in different ways, which could make the firewall vulnerable to attacks. Use this feature cautiously.

    Connection Thresholds

    1. Specify the number of connections allowed as a percent of the maximum number of connections allowed by the appliance in the Number of Connections allowed (% of max connections) field. Refer to About Connection Limiting, for more information on connection limiting.
    2. Select Enable Connection Threshold for each Source IP to define a Threshold for dropped packets. When this threshold is exceeded, connections and packets from the corresponding Source IP are dropped. The minimum number is 0, the maximum is 65535, and the default is 128.
    3. Select Enable Connection Threshold for each Destination IP to define a Threshold for dropped packets. When this threshold is exceeded, connections and packets destined for the corresponding Destination IP are dropped. The minimum number is 0, the maximum is 65535, and the default is 128.

    Others

    1. Click Allow Management Traffic. If this option is enabled, both management and non-management traffic is allowed.
    2. Check Allow Fragmented Packets to allow fragmented packets. Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable Allow Fragmented Packets if users are experiencing problems accessing certain applications and the SonicWall logs show many dropped fragmented packets.
    3. Check Enable Packet Monitor to allow packets to be monitored.
    4. Check Create Reflexive Rule to automatically create a reflexive firewall rule for the protected host. The Reflexive Rule uses the same policies as those that are configured for the hosted server but instead of configuring the source zone to the destination zone, this rule is applicable on traffic from the destination zone to the source zone.
    5. Click Show Diagram for a view of the connections you have created.

    Was This Article Helpful?

    Help us to improve our support portal

    Techdocs Article Helpful form

    • Hidden
    • Hidden

    Techdocs Article NOT Helpful form

    • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
    • Hidden
    • Hidden