Create a firewall rule

Firewall rules examine the control information in individual packets, and either block or allow them according to the criteria that you define. Firewall rules can be assigned to a policy or directly to a computer.

For information on how to configure the firewall module, see Set up the Server & Workload Protection firewall.

To create a new firewall rule:

Add a new rule.
Select the behavior and protocol of the rule.
Select a Packet Source and Packet Destination.

When you are done with your firewall rule, you can also do the following:

Configure rule events and alerts
Set a schedule for the rule
Assign a context to the rule
See policies and computers a rule is assigned to

Add a new rule

There are three ways to add a new firewall rule through Policies → Common Objects → Rules → Firewall Rules. You can do one of the following:

Create a new rule by clicking New → New Firewall Rule.
Import a rule from an XML file by clicking New → Import From File.
Copy and then modify an existing rule. To do this, right-click the rule in the Firewall Rules list, and then click Duplicate. To edit the new rule, select it, and then click Properties.

Select the behavior and protocol of the rule

Enter a Name and Description for the rule.

It is good practice to document all firewall rule changes in the Description field of the firewall rule. Make a note of when and why rules were created or deleted for easier firewall maintenance.
Select the Action that the rule should perform on packets. You can select from one of five actions. Note that only one rule action is applied to a packet, and rules (of the same priority) are applied in the order of precedence, as follows:
- The rule can allow traffic to bypass the firewall. A bypass rule allows traffic to pass through the firewall and intrusion prevention engine at the fastest possible rate. Bypass rules are meant for traffic using media intensive protocols where filtering may not be desired or for traffic originating from trusted sources.
  Bypass rules are unidirectional, therefore explicit rules are required for each direction of traffic.
  You can achieve maximum throughput performance on a bypass rule with the following settings:
  - Priority: Highest
  - Frame Type: IP
  - Protocol: TCP, UDP, or other IP protocol. Do not use Any.
  - Source and Destination IP and MAC: All, Any.
  - If the protocol is TCP or UDP and the traffic direction is incoming, the destination ports must be one or more specified ports (not Any), and the source ports must be Any.
  - If the protocol is TCP or UDP and the traffic direction is outgoing, the source ports must be one or more specified ports (not Any), and the destination ports must be Any.
  - Schedule: None.
  For an example of how to create and use a bypass rule for trusted sources in a policy, see Allow trusted traffic to bypass the firewall.
- The rule can log only. This action makes entries in the logs but does not process traffic.
- The rule can force allow defined traffic (it allows traffic defined by this rule without excluding any other traffic).
- The rule can deny traffic (it denies traffic defined by this rule).
- The rule can allow traffic (it exclusively allows traffic defined by this rule).
If you do not have allow rules in effect on a computer, all traffic is permitted unless it is specifically blocked by a deny rule. Once you create a single allow rule, all other traffic is blocked unless it meets the requirements of the allow rule. There is one exception to this: ICMPv6 traffic is always permitted unless it is specifically blocked by a deny rule.
Select the Priority of the rule. The priority determines the order in which rules are applied. If you select force allow, deny, or bypass as your rule action, you can set a priority of 0 (low) to 4 (highest). Setting a priority allows you to combine the actions of rules to achieve a cascading rule effect.

Log only rules can only have a priority of 4, and Allow rules can only have a priority of 0.

High priority rules are applied before low priority rules. For example, a port 80 incoming deny rule with a priority of 3 drops a packet before a port 80 incoming force allow rule with a priority of 2 gets applied to it.

For details on how actions and priority work together, see Firewall rule actions and priorities.
Select a Packet Direction to define whether this rule is to be applied to incoming (from the network to the computer) or outgoing (from the computer to the network) traffic.

An individual firewall rule only applies to a single-direction of traffic. You may need to create incoming and outgoing firewall rules in pairs for specific types of traffic.
Select a User List—This determines which User List this rule applies to traffic. The traffic is filtered based on User Identity. You can use a previously created User List.

User Name is part of a controlled release and is in preview. The related content is subject to change.

There is a number of constraints and guidelines to consider when selecting the User List:
- The protocol must be set to TCP or UDP and the traffic direction must be outgoing.
- To avoid accidental blocking of critical traffic, you should first select the log only action and check the behavior and user identity match. After that you can change the action to allow or deny.
- To allow a user, the firewall rule converts outgoing access from permissive to restrictive firewall. Therefore, all users are blocked, except a specific user. For more information, see Restrictive or permissive firewall design.
- User identities are defined when a new policy is sent to Deep Security Agent. If the user information changes, the configuration must be resent to update the user identities.
- The User List is supported on Windows and Linux operating systems.
Select an Ethernet Frame Type. The term frame refers to Ethernet frames, and the available protocols specify the data that the frame carries. If you select Other as the frame type, you need to specify a frame number.

IP covers both IPv4 and IPv6. You can also select IPv4 or IPv6 individually.

On Solaris, agents only examine packets with an IP frame type, and Linux agents only examine packets with IP or ARP frame types. Packets with other frame types are allowed through.

If you select the IP frame type, you need to select the transport Protocol. If you select Other as the protocol, you also need to enter a protocol number.

Select a packet source and packet destination

Select a combination of IP and MAC addresses, and if available for the frame type, Port and Specific Flags for the Packet Source and Packet Destination.

You can use a previously created IP, MAC or port list.

Support for IP-based frame types is as follows:

	IP	MAC	Port	Flags
Any	✔	✔
ICMP	✔	✔		✔
ICMPV6	✔	✔		✔
IGMP	✔	✔
GGP	✔	✔
TCP	✔	✔	✔	✔
PUP	✔	✔
UDP	✔	✔	✔
IDP	✔	✔
ND	✔	✔
RAW	✔	✔
TCP+UDP	✔	✔	✔	✔

ARP and REVARP frame types only support using MAC addresses as packet sources and destinations.

You can select Any Flags or individually select the following flags:

URG
ACK
PSH
RST
SYN
FIN

Configure rule events and alerts

When a firewall rule is triggered, it logs an event in the Server & Workload Protection and records the packet data.

Rules using the Allow, Force Allow, and Bypass actions do not log any events.

Alerts

You can configure rules to also trigger an alert if they log an event. To do so, open the properties for a rule, click Options, and then select Alert when this rule logs an event.

Only firewall rules with an action set to Deny or Log Only can be configured to trigger an alert.

Set a schedule for the rule

Define if the firewall rule should only be active during a scheduled time.

For more information, see Define a schedule that you can apply to rules.

Assign a context to the rule

Rule contexts allow you to set firewall rules uniquely for different network environments. Contexts are commonly used to allow for different rules to be in effect for laptops when they are on and off-site.

For information on how to create a context, see Define contexts for use in policies.

For an example of a policy that implements firewall rules using contexts, look at the properties of the Windows Mobile Laptop policy.

View policies and computers to which a rule is assigned

You can see which policies and computers are assigned to a firewall rule through the Assigned To tab. Click on a policy or computer in the list to view their properties.

Export a rule

You can export all firewall rules to a .csv or .xml file by clicking Export and selecting the corresponding export action from the list. You can also export specific rules by first selecting them, clicking Export, and then selecting the corresponding export action from the list.

Delete a rule

To delete a rule, right-click the rule in the Firewall Rules list, click Delete, and then click OK.

Firewall rules that are assigned to one or more computers or that are part of a policy cannot be deleted.