Support

Support for business applications

Kaspersky SD-WAN

Managing the firewall

Kaspersky SD-WAN
Нет результатов
Online Help
FAQ Forum Contact support Recovery tools

Managing the firewall

17 April 2024

ID 269973

Get as PDF

Kaspersky SD-WAN supports a firewall for filtering traffic packets on a CPE device. The firewall can accept, drop, or reject traffic packets. If a traffic packet is rejected, the sender receives an icmp-reject message. The firewall can apply each action to inbound and outbound traffic packets, as well as to traffic packets redirected between network interfaces and subnets.

To avoid configuring each device individually, you can specify firewall settings in a firewall template and then apply the template to devices when adding or manually registering them. If you edit a firewall setting in a template, that setting is automatically modified on all CPE devices that are using the template. When you edit a firewall setting on a CPE device, that setting becomes independent of the firewall template. When the same setting is edited in the firewall template, the change is not propagated to the CPE device.

To perform actions with traffic packets relayed through network interfaces and subnets, you must place these network interfaces and subnets in a firewall zone (hereinafter also referred to as 'zone'). You can create common zones that can be used by multiple CPE devices and zones on an individual device. When creating a zone, you specify actions that you want to be applied to traffic packets and add subnets to the zone. You can add network interfaces to a zone when creating or editing such network interfaces. To allow or deny traffic between two zones, you can create a forwarding.

You cannot edit a common zone because it can be used by a large number of CPE templates and devices, and editing such a zone would result in a mass update of all components that are using it, which would overload the orchestrator. If you want to edit the common zone, you must create a new common zone. To the created shared zone, you can add network interfaces and subnets that were added to the previous common zone.

To perform actions with traffic packets based on the specified criteria, you must create firewall rules. For example, you can create a firewall rule that rejects traffic packets with a specified source zone. If you want to specify the same IP addresses or subnets in multiple firewall rules, you can create an IP set .

When a traffic packet is forwarded to a CPE device, one of the firewall rules is applied to the traffic packet. If none of the firewall rules can be applied, the action specified in the settings of the zone to which this packet was sent is applied to the traffic packet. If the traffic packet was not forwarded to any of the zones, the default action is applied to it; you can specify the default action when configuring basic firewall settings.

The firewall supports the following network address translation (NAT) mechanisms:

  • DNAT rules can replace the following elements of traffic packets with your specified values:
    • Destination IP addresses or prefixes
    • Destination zones
    • Destination ports (Port Address Translation, PAT)
  • SNAT rules can replace source IP addresses or prefixes of traffic packets with your specified values.

DNAT rules and SNAT rules are applied to traffic packets based on the specified criteria. For example, you can create a DNAT rule that replaces the destination IP address of TCP traffic packets.

In this Help section

Managing firewall zones

Managing firewall templates

Basic firewall settings

Configuring DPI marking

Managing firewall rules

Managing IP sets

Managing forwarding

Managing DNAT rules

Managing SNAT rules

Changing the firewall template of a CPE device

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.