Support

Support for business applications

Kaspersky SD-WAN

Managing the firewall

Managing firewall rules

Editing a firewall rule

Kaspersky SD-WAN
Нет результатов
Online Help
FAQ Forum Contact support Recovery tools

Editing a firewall rule

17 April 2024

ID 270229

Get as PDF

You can edit a firewall rule in a firewall template or on a CPE device. When you edit a firewall rule in a template, the rule is automatically modified on all CPE devices that are using the template.

To edit a firewall rule:

  1. Edit a firewall rule in one of the following ways:
    • If you want to edit a firewall rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the template and in the displayed settings area, select the Rules tab.
    • If you want to edit a firewall rule on a CPE device, go to the SD-WAN → CPE menu section, click the device, and in the displayed settings area, select the Firewall settings → Rules tab and select the Override check box.

    A table of firewall rules is displayed.

  2. Click Edit next to the firewall rule that you want to edit.
  3. This opens a window; in that window, in the Name field, enter the name of the firewall rule. Maximum length: 255 characters.
  4. In the Action drop-down list, select the action that the firewall rule must apply to traffic packets:
    • ACCEPT to accept traffic packets. Default value.
    • DROP to drop traffic packets.
    • REJECT to reject traffic packets with an icmp-reject message.
    • ADJ-MSS to change the value in the MSS field in the TCP header of the traffic packets to the specified value. If you select this value, in the MSS value field, enter the MSS value. Range of values: 68 to 10,000.
  5. Specify the criteria according to which the firewall must apply the rule to traffic packets:
    1. If you want to apply the firewall rule only to traffic packets with the specified source or destination IP addresses or subnets, in the IP set drop-down list, select a previously created IP set. If you select a value from this drop-down list, the Source IP and Destination IP blocks become unavailable.
    2. If you want to apply the firewall rule only to traffic packets with the specified version of source or destination IP addresses or subnets, in the IP version drop-down list, select one of the following options:
      • IPv4
      • IPv6

      If you do not select a value, the firewall rule is applied to traffic packets with any version of source or destination IP addresses or subnets.

    3. If you want to apply the firewall rule only to traffic packets with the specified source zone, in the Source zone drop-down list, select a previously created zone.
    4. If you want to apply the firewall rule only to traffic packets with the specified destination zone, in the Destination zone drop-down list, select a previously created zone.
    5. If you want to apply the firewall rule only to traffic packets with the specified source IPv4 address or prefix:
      1. Under Source IP, click + Add.
      2. In the field that is displayed, enter an IPv4 address or prefix.

      The source IPv4 address or prefix is specified and displayed under Source IP. You can specify multiple IPv4 addresses or prefixes; to delete an IPv4 address or prefix, click the delete icon next to it.

    6. If you want to apply the firewall rule only to traffic packets with the specified destination IPv4 address or prefix:
      1. Under Destination IP, click + Add.
      2. In the field that is displayed, enter an IPv4 address or prefix.

      The destination IPv4 address or prefix is specified and displayed under Destination IP. You can specify multiple IPv4 addresses or prefixes; to delete an IPv4 address or prefix, click the delete icon next to it.

    7. If you want to apply the firewall rule only to traffic packets of the specified protocol, select a protocol in the Protocol drop-down list. When you select an option in this drop-down list, the DPI protocol drop-down list becomes unavailable.

      With TCP or UDP selected, if you want to apply the firewall rule only to traffic packets with the specified source and/or destination ports:

      1. In the Source port field, enter a source port number or a range of source port numbers.
      2. In the Destination port field, enter a destination port number or a range of destination port numbers.

      Range of values: 0 to 65,535. The format of the port number range is <first value>-<last value>. For example, you can enter 10 or 10-15.

    8. If you want to apply the firewall rule only to traffic packets of the specified application, select an application in the DPI protocol drop-down list.

      Traffic is attributed to applications using the DPI technology, which places additional load on the CPU of the CPE device.

      You can specify the DPI marks that determine the traffic packets the rule is applied to. If you disabled the DPI technology when specifying the basic settings of the firewall, the rule is automatically disabled.

  6. Click Save.

    The firewall rule is modified and updated in the table.

  7. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.