Embed Size (px)
DESCRIPTION
The Firewall Menu. The Firewall Menu. Firewall Overview - PowerPoint PPT Presentation
Citation preview
1
The Firewall Menu
2
The Firewall Menu
Firewall Overview
The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely to suit your network requirements. By default, each component is set to provide the highest levels of security (deny), as to provide maximum protection against internal and external threats.
3
Firewall Overview
The Firewall Menu
4
The Firewall Menu
Firewall Deny vs. Reject
There are two different ways to implement a block rule when creating firewall rules, REJECT or DENY:
REJECT: This will send an ICMP Port Unreachable packet for every requested connection or received packet.
DENY: This means the packet is discarded completely and no packet is sent back to the requesting machine.
5
Destination NAT (DNAT)
Destination NAT provides port forwarding capabilities, enabling access to internal resources from an external network (i.e. Internet). This is the most common use of the firewall, given that it is typically deployed as the gateway appliance between the Internet and the local network, protecting internal resources.
The Firewall Menu
6
The Firewall Menu
Destination NAT (DNAT)
7
Troubleshooting Port Forwarding
There are mainly two reasons why port-forwarding may not work:
• GateDefender is behind a NAT device. In this case there is a device like a router or like another firewall between the GD and the Internet, which does not allow direct incoming connections. The solution is to configure port forwarding also in that device to the RED IP of the Panda GateDefender Appliance.
• The destination host has the wrong default gateway. The host set as the destination of a port forwarding rule is configured with a default gateway address different from the GD address. Connections will be directed to the target host IP but, due to the incorrect default gateway, packets will not be directed through the appliance. The solution is to configure the host with the correct gateway.
The Firewall Menu
8
Source NAT (SNAT)
The Source NAT (SNAT) provides the ability to rewrite the source IP and/or port on outbound traffic to external networks. This can be useful when one has multiple external IP addresses and needs to manipulate certain traffic to appear to come from specific external IPs.
Note: By default all outbound Internet traffic will automatically Source NAT to the Primary IP on the Red (main uplink) interface. This is a default masquerading rule created in order to hide the internal, private IP addresses.
The Firewall Menu
9
Incoming Routed Firewall
The Incoming Routed firewall provides the ability to redirect incoming traffic destined for the GD eSeries external interface to an internal network or zone. This can be used to route a public, external network through the GD eSeries without having to NAT the traffic.
Since the Incoming Routed feature does not use NAT, your public (external) network will live on your hosted devices – thus every internal device will use a public network IP (and not a private IP).
Example: You wish to route the public network 1.1.1.0/24 to your Orange zone (interface). Every device inside the Orange zone will then directly be assigned an IP in the 1.1.1.0/24 network.
The Firewall Menu
10
Incoming Routed Firewall
The Firewall Menu
11
Outgoing Firewall
The Outgoing firewall provides the ability to filter outbound traffic originating from an internal, protected network. Using the outgoing firewall is highly recommended as it ensures that only traffic you explicitly approve is leaving your internal network(s). By default, the outgoing firewall is enabled with a limited set of protocols approved to leave specific network zones.
. Warning: Always keep in mind that any traffic not explicitly allowed will be denied! You can also choose to disable the outgoing firewall to ensure all outbound traffic is passed by the GD eSeries.
The Firewall Menu
12
Outgoing Firewall
These are the services and zones allowed access via the WAN (RED) interface by default:
GREEN: HTTP, HTTPS, FTP, SMTP, POP, IMAP, POP3s, IMAPs, DNS and ping (ICMP) BLUE: HTTP, HTTPS, DNS, and ping (ICMP) ORANGE: DNS and ping (ICMP)
Everything else is forbidden except for some system rules which allow access to the services in the Panda Perimetral Management Console. The system rules are defined even if the corresponding zones are not enabled.
Please remember that the order of rules is important: the first matching rule decides whether a packet is allowed or denied, regardless of how many matching rules follow. The order of the rules can be changed by using the up and down arrow icons next to each rule.
The Firewall Menu
13
Outgoing Firewall
The Firewall Menu
14
Inter-Zone Firewall
The Inter-Zone firewall provides filtering capabilities between the internal network zones of GD eSeries. By default, these are configured based on the predefined security levels of each network zone (i.e. Green = most protected and Orange/Blue = less protected).
The Firewall Menu
15
VPN Firewall
The VPN firewall allows to explicitly filter VPN users access to internal resources. By default, the VPN firewall is disabled and all VPN users are automatically allowed access to any internal resources as if they were directly connected to the Green network. The rules themselves are relatively straightforward to build and have the same format as any other firewall rule.
. Warning: The VPN firewall only applies to users connected through VPN. The Outgoing and Inter-zone firewall does not apply to VPN users so the only place to filter VPN users is within the VPN firewall.
The Firewall Menu
16
VPN Firewall
The Firewall Menu
17
System Access Firewall
The System firewall provides granular filtering capability over access to services running on the GD eSeries device directly (e.g. HTTPS console, SSH, DNS, etc). By default, no services are made available externally including all management services (via web & SSH) to eliminate direct outside access to the device.
More system access rules can be added by clicking on the “Add a new system access rule” link. The setting specific to this module of the firewall are:
Log packets: All packets that access or try to access the GD eSeries are logged when this checkbox is ticked. This option proves useful to know who accessed – or tried to access – the system itself. Source address: The MAC addresses of the incoming connection. Source interface: The interface from which the system can be accessed.
NOTE: There is no Destination address, as this will match the IP address of the interface from which the access is granted or attempted.
The Firewall Menu
18
System Access Firewall
The Firewall Menu
