180 likes | 263 Views
The Firewall Menu. The Firewall Menu. Firewall Overview
E N D
The Firewall Menu • Firewall Overview The GD eSeriesappliance provides multiple pre-defined firewall components/sections which you can configure uniquely to suit your network requirements. By default, each component is set to provide the highest levels of security (deny), as to provide maximum protection against internal and external threats.
The Firewall Menu • Firewall Overview
The Firewall Menu • Firewall Deny vs. Reject There are two different ways to implement a block rule when creating firewall rules, REJECT or DENY: REJECT: This will send an ICMP Port Unreachable packet for every requested connection or received packet. DENY: This means the packet is discarded completely and no packet is sent back to the requesting machine.
The Firewall Menu • Destination NAT (DNAT) Destination NAT provides port forwarding capabilities, enabling access to internal resources from an external network (i.e. Internet). This is the most common use of the firewall, given that it is typically deployed as the gateway appliance between the Internet and the local network, protecting internal resources.
The Firewall Menu • Destination NAT (DNAT)
The Firewall Menu • TroubleshootingPort Forwarding There are mainly two reasons why port-forwarding may not work: • GateDefender is behind a NAT device. In this case there is a device like a router or like another firewall between the GD and the Internet, which does not allow direct incoming connections. The solution is to configure port forwarding also in that device to the RED IP of the Panda GateDefenderAppliance. • The destination host has the wrong default gateway. The host set as the destination of a port forwarding rule is configured with a default gateway address different from the GD address. Connections will be directed to the target host IP but, due to the incorrect default gateway, packets will not be directed through the appliance. The solution is to configure the host with the correct gateway.
The Firewall Menu • Source NAT (SNAT) The Source NAT (SNAT) provides the ability to rewrite the source IP and/or port on outbound traffic to external networks. This can be useful when one has multiple external IP addresses and needs to manipulate certain traffic to appear to come from specific external IPs. Note: By default all outbound Internet traffic will automatically Source NAT to the Primary IP on the Red (main uplink) interface. This is a default masquerading rule created in order to hide the internal, private IP addresses.
The Firewall Menu • Incoming Routed Firewall The Incoming Routed firewall provides the ability to redirect incoming traffic destined for the GD eSeriesexternal interface to an internal network or zone. This can be used to route a public, external network through the GD eSerieswithout having to NAT the traffic. Since the Incoming Routed feature does not use NAT, your public (external) network will live on your hosted devices – thus every internal device will use a public network IP (and not a private IP). Example: You wish to route the public network 1.1.1.0/24 to your Orange zone (interface). Every device inside the Orange zone will then directly be assigned an IP in the 1.1.1.0/24 network.
The Firewall Menu • Incoming Routed Firewall
The Firewall Menu • Outgoing Firewall The Outgoing firewall provides the ability to filter outbound traffic originating from an internal, protected network. Using the outgoing firewall is highly recommended as it ensures that only traffic you explicitly approve is leaving your internal network(s). By default, the outgoing firewall is enabled with a limitedset of protocols approved to leave specific network zones. . Warning: Always keep in mind that any traffic not explicitly allowed will be denied! You can also choose to disable the outgoing firewall to ensure all outbound traffic is passed by the GD eSeries.
The Firewall Menu • Outgoing Firewall These are the services and zones allowed access via the WAN (RED) interface by default: GREEN: HTTP, HTTPS, FTP, SMTP, POP, IMAP, POP3s, IMAPs, DNSand ping (ICMP) BLUE: HTTP, HTTPS, DNS, and ping (ICMP) ORANGE: DNS and ping (ICMP) Everything else is forbidden except for some system rules which allow access to the services in the Panda Perimetral Management Console. The system rules are defined even if the corresponding zones are not enabled. Please remember that the order of rules is important: the first matching rule decides whether a packet is allowed or denied, regardless of how many matching rules follow. The order of the rules can be changed by using the up and down arrow icons next to each rule.
The Firewall Menu • Outgoing Firewall
The Firewall Menu • Inter-Zone Firewall The Inter-Zone firewall provides filtering capabilities between the internal network zones of GD eSeries. By default, these are configured based on the predefined security levels of each network zone (i.e. Green = most protected and Orange/Blue = less protected).
The Firewall Menu • VPN Firewall The VPN firewall allows to explicitly filter VPN users access to internal resources. By default, the VPN firewall is disabled and all VPN users are automatically allowed access to any internal resources as if they were directly connected to the Green network. The rules themselves are relatively straightforward to build and have the same format as any other firewall rule. . Warning: The VPN firewall only applies to users connected through VPN. The Outgoing and Inter-zone firewall does not apply to VPN users so the only place to filter VPN users is within the VPN firewall.
The Firewall Menu • VPN Firewall
The Firewall Menu • System Access Firewall The System firewall provides granular filtering capability over access to services running on the GD eSeriesdevice directly (e.g. HTTPS console, SSH, DNS, etc). By default, no services are made available externally including all management services (via web & SSH) to eliminate direct outside access to the device. More system access rules can be added by clicking on the “Add a new system access rule” link. The setting specific to this module of the firewall are: Log packets: All packets that access or try to access the GD eSeries are logged when this checkbox is ticked. This option proves useful to know who accessed –or tried to access – the system itself. Source address: The MAC addresses of the incoming connection. Source interface:The interface from which the system can be accessed. NOTE: There is no Destination address, as this will match the IP address of the interface from which the access is granted or attempted.
The Firewall Menu • System Access Firewall