Firewall

Overview

Security firewall functionality is included with flexiWAN starting from the version 4.2.x. Built with SDWAN and SASE concepts in mind, to be deployed at scale with ease, firewall offers flexible controls to filter certain or all traffic per several different criterias, including Application Identifications, while covering the enterprise WAN NAT inbound rules/filter support like such as rules, port forwarding and 1:1 NAT.

flexiWAN security firewall combines three key components:

  • Policies - configure and deploy firewall configuration on multiple flexiEdge sites at once.
  • Device specific rules - configure site-specific firewall rules, even without policy however it can be combined with policy for additional filtering.
  • Traffic & App Identifications - Database with IP ranges of well known services and popular applications ports, with option to add your own identifications.

Features

  • Allow or deny traffic through firewall rules.
  • Firewall features Inbound and outbound rules.
  • Use firewall policies to configure and deploy firewall rules on mass scale.
  • Traffic & App Identifications support, use predefined or your own App Id’s with firewall rules.
  • Traffic tags - filter traffic per Traffic & App identification categories.
  • Port forwarding - access internal resources behind flexiEdge site.
  • 1:1 NAT - access internal servers behind flexiEdge site.
  • Edge Access - filter access to flexiEdge services such as SSH, flexiEdge UI etc.
  • firewall is stateless and ACL based

Warning

Inbound rules are blocked by default. In order to access the flexiEdge device from the WAN, an inbound rule for SSH has to be added

Firewall rules

In order to sucessfully plan and deploy firewall rules, this section covers the fundamentals of the firewall. Examples and use cases can be found in the later sections.

Before continuing, the following terminology is used in this section:

  • Firewall rule - define what traffic is filtered, whether allowed or blocked and its direction.
  • Outbound traffic - all outgoing traffic, traffic starting from LAN towards WAN.
  • Inbound traffic - all incoming traffic, traffic starting from WAN towards LAN or the edge self.
  • App / Destination - defines the destination of traffic using traditional any, IP, port and protocol as well as additional destinations using Traffic & App Identifications
  • Source - defines originating traffic, using IP/port/protocol or Traffic & App Identifications.
  • Traffic name - filter traffic using application identification. Eg. filter Facebook ranges or ports used by BGP.
  • Traffic tags - filter Traffic & App identification categories. Eg. filter traffic of high importance or remote access category etc.
  • Port forwarding - forward access to internal resources
  • 1:1 NAT - map external IP to internal resources, mapping all ports to the internal server IP.

Outbound rules

With outbound rules, users can block or allow outgoing traffic. By default, all outbound traffic is allowed. Through the use of source, destination and interface areas, traffic can be allowed or denied.

IP, port and protocol destination is selected by default, offering the following options:

  • Allow or deny traffic to a specific IP or range, protocol or a port. Can also be a single option, for eg. just specific port or port range.
  • IP address - define a specific address or range. Requires CIDR, for eg. 192.168.0.0/16 for the entire range or can be 192.168.30.25/32 for a specific IP.
  • Protocols - select TCP, UDP or both as protocol.
  • Ports range - Can be a specific port such as 8888 or can be range “8888-9999”

In the following example, outbound traffic from LAN interface to 9.9.9.9/32 will be blocked.

default outbound

Additional destinations are also available, starting with Traffic Tags, which when used for App / destination, offer a more granular traffic filtering using Category, Service class or Importance (all or a single tag can be used). View Traffic & App Identifications section within flexiManage to view all identifications, or add your own. In this example, Traffic Tags category remote access is used to allow LAN users to connect to external resources using SSH and similar services.

tags outbound 2

Using Traffic Name enables filtering external service ranges such as Facebook, Netflix or a specific application ports such as BGP, SMTP etc. Just as with Traffic Tags, view Traffic & App Identifications section within flexiManage to view all identifications or add your own. The example below shows using Traffic Names to reject LAN users to connect to Facebook.

tags outbound3

Finally, the last option is the use of Any as destination. This particular option is useful when allowing or denying LAN traffic to specific IP range or Traffic Name. In this example, all outgoing traffic using torrenting ports is rejected. Learn more about the source option in the next sections.

default any

When creating Outbound firewall rule, source marks the traffic originating from the LAN interfaces. By default Any is selected and most commonly used, however also included are the Custom IP/Port and Traffic Name. Both have identical function as described above. In the following example, a specific source LAN IP 172.4.0.100 will not be able to reach resources of the other tunnel connected sites as its denied 10.100.0.0/24 access (range used with flexiWAN tunnels).

flexiEdge access

Inbound rules

Using inbound firewall rules incoming traffic can be allowed. Notice there is no deny as by default all inbound traffic is blocked. There are several types of Inbound firewall rules. Starting with the default type when creating a new inbound firewall policy, flexiEdge access.

flexiEdge access firewall rules can filter incoming traffic to the flexiEdge itself. Allow or deny traffic to a certain port of the flexiEdge. This example shows how to allow SSH access to the edge.

flexiEdge access

Port Forward is another type of the inbound firewall rules. Users can define access to internal resources using external WAN IP. In the next example, traffic is port forwarded from WAN, port 8089, to the internal device on 172.4.0.20 and port 443.

port forward

When using port forwarding, it is possible to forward a specific port or a port range.

port range

The ports range section can also recognize commonly used service names and pick the correct port used automatically.

port service

Finally, the 1:1 NAT rule type allows users to map external IP to internal resource, forwarding all traffic on all ports to it. The following example maps all WAN IP traffic to an internal IP address 172.4.0.20.

flexiEdge access

Note

Port Forwarding and 1:1 NAT are only available with device specific firewall rules and not when using firewall policies. Learn more about it in the policies section.

When creating Inbound firewall rule, source is the traffic originating from outside the network (arriving to the flexiEdge). In this example, only traffic from 142.250.180.206/32 is allowed to access internal service via port forward 9000. It is recommended to leave source port range empty in this case.

flexiEdge access

Firewall policy

This section covers how to combine all above mentioned aspects of firewall rules and apply at mass scale to hundreds or thousands of flexiEdge sites. The purpuse of policies is to define a set of firewall rules, called Global rules, and then apply it to a single or multiple flexiEdge sites.

Port forwarding and 1:1 NAT rules types cannot be used with firewall policies. This is by design because configuring these types requires specifying the WAN IP’s which different for each site. Instead, port forwarding and 1:1 NAT can be added via device specific rules, however each flexiEdge site can have policy installed and use device specific rules such as port forwarding or 1:1 NAT rules.

To configure firewall policies, navigate to Security > Firewall section from the flexiManage sidebar. Firewall policies page uses the familiar feel and concept of Path Selection, which handles application based routing. By default there are no policies so create a new one by clicking on “New Firewall Policy” button.

Shown in this example is a default policy to be deployed on all sites. Inbound rules allowing SSH and flexiEdge UI access to the flexiEdge device itself while blocking LAN users from reaching Facebook, Netflix and Bittorrent. Once a policy is configured, click “Save Policy”.

policy default

Each firewall policy can be previewed easily directly from the Security > Firewall page simply by clicking on it.

policy page

Installing firewall policies

Firewall policy can be installed on a single or multiple flexiEdge devices. To install a firewall policy, simply navigate to the Devices page and click on the Actions menu. From the Actions drop down menu, click on Install policy and then select Firewall. Finally select the policy you wish to install. Notice that the same policy drop down will also show Path Selection, having both firewall and Path Selection policies installed at the same time is supported.

policy install

Priority

Security firewall functionality supports rule priority, where order of the rules is respected. Rules priority is processed from the top to down, where top rules have higher priorities than the lower ones. The following example shows the bottom rule LAN segment 172.4.0.0/24 denies access to the remote site, however a top rule superseedes and allowes specific IP from the same subnet allowing access to remote site. Rules can be dragged and dropped or selected and then moved with buttons.

rules order

Device specific rules

While firewall policies are used to deploy predefined rules on a large scale, each device can have its own device specific firewall rules. flexiEdge site can have device specific rules without an installed policy, however combining policies with device specific rules is supported and recommended.

Device specific firewall rules can be found by navigating to device settings and clicking on the Firewall tab. By default device specific rules must be enabled manually, however adding a rule will automatically enable the device specific rules. It’s also possible to disable device specific rules while still keeping the Global rules.

In the following example there is a policy installed allowing SSH and flexiEdge access, blocking specific services access and a site specific rule for port forwarding. Site specific rules have rule actions while rules installed via policy, called Global rules, cannot be altered from this section.

device specific rules

Traffic & App Identifications

This explains how to Traffic & App identifications with firewall rules. First introduced as App Identification for Path Selection, this functionality provides the capability to identify network applications based on IP and Ports. The Traffic & App identifications documentation pages cover the concept in great detail, while this section covers the firewall related configuration and usage.

All of the imported identifications can be used with firewall through the use of Traffic Tags and Traffic Names.

  • Traffic Name matches App identifications IP ranges of popular services such as Facebook or Netflix. Also included identifications are commonly used applications and their ports, or a user defined port range.
  • Traffic Tags are used for filtering traffic per three identification sections: Category, Service Class or Importance.
  • Both Traffic Names and Tags support user added identifications.

Navigate to Inventory > Traffic & App Identifications to view all available App ID’s or add new ones.

identifications

Using Traffic Tags and Traffic names with firewall rules is already explained in the previous sections so in this section the focus is on explaining and the benefits of defining your own identifications. Users can define IP ranges and ports as identifications in order to use them with firewall rules. With user defined identification containing multiple IP ranges and ports, a single rule can be configured to match its traffic, making the configuration easier and quicker.

This two step example shows a user defined identification with all company ranges defined used with port forwarding firewall rule, in order to limit access only to the company IP ranges.

In the first step, navigate to Traffic & App Identifications and create a new identification containing company IP ranges.

identifications

For the second step create a device specific port forwarding rule and select the newly created company ranges identification in the source.

identifications

Firewall examples and use cases

  1. Using firewall policy and device specific rules
  2. Isolating LAN networks
  3. Egress filtering

Using firewall policy and device specific rules

As every site has specific number of interfaces, different WAN and public IP’s, combining firewall policy with device specific rules is recommended approach. Global rules are specific to company-wide filtering and policies (like blocking access to some websites or allowing specific traffic), while using the device specific rules handles local port forwarding or 1:1 NAT.

The following example demonstrates the purpuse of using a firewall policy to deploy predefined rules set to multiple flexiEdge sites and then configure access for each site. The following will be configured:

  1. A firewall policy following company policies on blocking access to social media, videos, VPN’s, remote access and torrents, while allowing ssh to the flexiEdge itself.
  2. A device specific policy using port forwarding to internal resources but only allow access from company IP ranges.

Navigate to Security > Firewall and create a new policy with the following configuration.

example 1

For the purpuse of this example it’s assumed that the policy was created and installed on several flexiEdge sites. Next step is to add device specific rules. Navigate to device settings and click on Firewall tab. Add a port forward to internal resource behind LAN and click update device. That’s it!

example 2

Isolating LAN interfaces

flexiWAN supports multiple LAN segments which may be wired or combination of wired and WiFi interfaces. This example shows a common security practice, isolating and preventing users connected to the WiFi from accessing internal LAN segments.

Topology:

  • LAN - wired interface - 172.2.0.0/24
  • WiFi - wireless interface - 172.3.0.0/24

For this example, navigate to the device settings and click on Firewall tab. Create a new firewall rule and select custom IP as a destination. Enter LAN IP range, in this case 172.2.0.0/24 and select all protocols, ICMP, TCP and UDP. Select WiFi under interfaces, in this case wlp5s0 - 172.3.0.10 and finally set deny under action.

example 2

That’s it, this rule will prevent users on WiFi from accesing LAN.

Egress filtering

This filtering type is more hardened network apprach commonly used for limiting outgoing traffic and only allowing specific ports and ranges. With flexiWAN, configuring egress filtering is a simple task.

To achieve egress filtering, the following steps are required:

  1. Create a new Traffic Identification with allowed ports for outgoing traffic.
  2. Create a policy and create outbound rules using Traffic ID containing ports.
  3. Optional step, for even more hardened security, add another Traffic Identification with company IP ranges. However, in this case users will not be able to reach any other websites or services outside the specified range.

When above steps are combined with firewall rules, the result is outgoing traffic is allowed only when using specific ports and optionally, only to company ranges.

First step is to create a new App ID with allowed ports for outgoing traffic. Navigate to Traffic & App Identification and click on “New App Identification”. Enter the following ports by clicking on the + sign.

  • 443
  • 80
  • 587
  • 465
  • 110
  • 995
  • 26
  • 53
  • 853
  • 143

The above ports will allow commonly used ports for internet browsing and secure email communication while blocking all other ports that may be used for spam, malicious traffic etc.

example 0

Optionally, add also allowed external IP ranges App ID. While this adds greater security, it also prevents the LAN clients from communicating with other internet ranges or services.

example 0

Finally, navigate to Security > Firewall and create a new policy. Add the following rules:

  • Deny any destination to any source
  • a rule allowing Traffic Name destination “Egress_ports” with any source
  • optionally, Traffic Tags destination “Company_ranges” with any source

Then make sure to drag the rules priority according to the following screenshot. Please note that rules can be only dragged from the Destination column.

example 0

That’s it, all outgoing traffic will now be allowed only to specific outgoing ports and to specific IP addresses. To be able to access internet through allowed ports, simply remove or disable the company ranges rule in this policy.