Manuals / Casio / Computer Equipment / Network Router

Casio ISA550WBUN3K9 manual About Security Zones, Firewall

Models: ISA550WBUN3K9

1 479

Download 479 pages 49.64 Kb

Page 252

Firewall	6
Firewall
Configuring Firewall Rules to Control Inbound and Outbound Traffic

Configuring Firewall Rules to Control Inbound and Outbound Traffic

The zone-based firewall can permit or deny inbound or outbound traffic based on the zone, service, source and destination address, and schedule.

Refer to the following topics:

•Default Firewall Settings, page 254

•Priorities of Firewall Rules, page 255

•Preliminary Tasks for Configuring Firewall Rules, page 255

•General Firewall Settings, page 256

•Configuring a Firewall Rule, page 257

•Configuring a Firewall Rule to Allow Multicast Traffic, page 259

•Configuring Firewall Logging Settings, page 260

About Security Zones

A security zone is a group of interfaces to which a security policy can be applied to control traffic between zones. For ease of deployment, the Cisco ISA500 has several predefined zones with default security settings to protect your network. You can create additional zones as needed.

Each zone has an associated security level. The security level represents the level of trust, from low (0) to high (100). Default firewall rules are created for all predefined zones and your new zones, based on these security levels. For example, by default all traffic from the LAN zone (with a Trusted security level) to the WAN zone (with an Untrusted security level) is allowed but traffic from the WAN (Untrusted) zone to the LAN (Trusted) zone is blocked. You can create and modify firewall rules to specify the permit or block action for specified services, source and destination addresses, and schedules.

To learn more, see the Security Levels and Predefined Zones table.

Cisco ISA500 Series Integrated Security Appliances Administration Guide

252

Image 252

Casio ISA550WBUN3K9 manual About Security Zones, Firewall

Contents

Administration Guide Cisco Systems, Inc. All rights reserved 78-20776-03 Important Note FCC Radiation Exposure Statement For ISA550W and ISA570WIndustry Canada statement Canada Radiation Exposure Statement For ISA550W and ISA570WDéclaration dexposition aux radiations UL/CB Configuration Wizards Getting StartedUsing Remote Access VPN Wizard for SSL Remote Access Status Networking 115 Understanding Dscp Values 171 Wireless for ISA550W and ISA570W only 206 Vlan Setup 180 Wireless Setup 181 User AuthenticationVlan Setup 222 Wireless Setup 223 User Authentication Firewall 251Security Services 291 General Application Control Settings 314 VPN 333Client Mode 366 Network Extension Mode 367 User Management 388 Device Management 403Contents Appendix a Troubleshooting 453 Appendix D Where to Go From Here 479Getting Started Model Description Configuration IntroductionGetting Started ISA550WProduct Overview Front PanelFront Panel, Back Panel, POWER/SYS Light DescriptionVPN USBBack Panel SpeedLINK/ACT ISA550 and ISA550W Back PanelFeature Description ANT01/ANT02Getting Started with the Configuration Utility Reset ButtonPower Switch PowerLogging in to the Configuration Utility Navigating Through the Configuration Utility Number Component DescriptionUsing the Help System Configuration Utility IconsIcon Description Action Getting Started Factory Default Settings Default Settings of Key FeaturesRestoring the Factory Default Settings Performing Basic Configuration Tasks Changing the Default Administrator PasswordParameter Default Value Upgrading your Firmware After your First Login Click ContinueBacking Up Your Configuration Configuration Wizards Using the Setup Wizard for the Initial Configuration Configuration WizardsStarting the Setup Wizard Enabling Firmware Upgrade Validating Security License Enabling Bonjour and CDP Discovery ProtocolsConfiguring Remote Administration Configuring Physical Ports Configuring the Primary WAN Configuring the Secondary WANConfiguring WAN Redundancy Configuring Default LAN Settings Configuring DMZ Configuring DMZ Services Configuration Wizards Configuring Wireless Radio Settings WANWAN IP Configuring Intranet Wlan Access Configure Security Services Security ServicesViewing Configuration Summary Configuring a Configurable Port as a Secondary WAN Port Click Configuration Wizards Dual WAN WizardStarting the Dual WAN Wizard Configuring the Primary WAN Configuring Network Failure Detection Using the Remote Access VPN Wizard Using the Remote Access VPN Wizard for IPsec RemoteStarting the Remote Access VPN Wizard Configuring IPsec Remote Access Group PolicyClick Configuration Wizards Remote Access VPN Wizard Configuring WAN Settings Configuring Operation ModeConfiguring Access Control Settings Configuring DNS and Wins SettingsConfiguring Backup Servers Configuring Split TunnelingViewing Group Policy Summary Configuring IPsec Remote Access User Groups Viewing IPsec Remote Access SummaryUsing Remote Access VPN Wizard for SSL Remote Access Configuring SSL VPN GatewayClient Netmask Client Address Pool Configuring SSL VPN Group Policy Configuration Wizards Configuration Wizards Configuring SSL VPN User Groups Using the Site-to-Site VPN Wizard to Configure Site-to-Site Viewing SSL VPN SummaryConfiguring VPN Peer Settings Click Configuration Wizards Site-to-Site VPN WizardStarting the Site-to-Site VPN Wizard Configuring IKE Policies Configuring Transform Policies Configuring Local and Remote Networks Using the DMZ Wizard to Configure DMZ Settings Configuring Ddns ProfilesClick Configuration Wizards DMZ Wizard Starting the DMZ WizardConfiguring DMZ Network Configuration Wizards Configuring DMZ Services WAN Using the Wireless Wizard for ISA550W and ISA570W only Starting the Wireless WizardClick Configuration Wizards Wireless Wizard Configuring Wireless Connectivity Types Specify Wireless Connectivity Settings for All Enabled SSIDs Configuring the Ssid for Intranet Wlan AccessConfiguring Wireless Security, Configuring the Ssid for Guest Wlan Access Configuration Wizards Configuration Wizards Configuration Wizards Device Status Dashboard Status DashboardField Description System InformationStatus Resource UtilizationLicenses Syslog SummaryRemote Access VPN Routing ModeSite-to-Site VPN Physical PortsField Network Status Status SummaryStatus Summary EthernetVlan Pvid Vlan DMZTraffic Statistics Traffic StatisticsUsage Reports Status WAN Bandwidth Reports ARP Table Dhcp BindingsARP Table Dhcp BindingsSTP Status STP Status Global StatusInterface Status Table Status CDP Neighbor Wireless Status for ISA550W and ISA570W only Wireless StatusWireless Status, Client Status, NAT Status Client StatusNAT Status VPN Status IPsec VPN StatusIPsec VPN Status, SSL VPN Status, VPN Status IPsec VPN StatusStatistics SSL VPN Status Teleworker VPN ClientVPN Status SSL VPN Status SSL VPN Statistics Active User Sessions Active User SessionsSecurity Services Reports Web Security ReportAnti-Virus Report Email Security Report Network Reputation Report IPS Report Application Control Report System Status ProcessesProcesses, Resource Utilization, System Status ProcessesResource Utilization System Status Resource UtilizationCPU Utilization Memory UtilizationStatus Networking Configuring IPv4 or IPv6 Routing Viewing Network StatusManaging Ports NetworkingViewing Status of Physical Interfaces Configuring Physical Ports Configuring Port Mirroring Configuring Port-Based 802.1x Access Control Networking Configuring the WAN Configuring WAN Settings for Your Internet ConnectionRelease or renew a Dhcp WAN connection, Configure the primary WAN Networking Configure a secondary WAN Network Addressing ModeNetwork Addressing Configuration Mode Dhcp ClientStatic IP PPPoE ISPPptp L2TP Dual WAN Settings Networking Configuring Link Failover Detection Networking Configuring Dynamic DNS Ddns Services TableAdding or modifying a Ddns service Measuring and Limiting Traffic with the Traffic Meter Networking Configuring a Vlan Networking Networking Networking Configuring DMZ About DMZ networksExample DMZ with One Public IP Address for WAN and DMZ Configuring a DMZ Example DMZ with Two Public IP AddressesNetworking Networking Configuring Zones Security Levels for ZonesConfiguring Zones Predefined ZonesServices Configuring Dhcp Reserved IPs Configuring RoutingConfiguring Routing Mode Viewing the Routing TableConfiguring Static Routing Configuring Dynamic Routing RIP Configuring Policy-Based Routing Networking Configuring Quality of Service General QoS SettingsClick Networking QoS General Settings Configuring WAN QoS Managing WAN Bandwidth for Upstream TrafficClick Networking QoS WAN QoS Bandwidth Configuring WAN Queue Settings Configuring Traffic Selectors Click Networking QoS WAN QoS Queue SettingsNetworking Configuring WAN QoS Policy Profiles Configuring WAN QoS Class RulesClick Networking QoS WAN QoS QoS Policy Profile Mapping WAN QoS Policy Profiles to WAN Interfaces WAN QoS Configuration Example WAN1 WAN1IPConfigure WAN QoS for Voice Traffic from LAN to WAN Class NameSource Address Policy NameConfiguring WAN QoS for Voice Traffic from WAN to LAN QoS Class RuleQoS Class Rules Configuring LAN QoS Configuring LAN Queue Settings Configuring LAN QoS Classification MethodsClick Networking QoS LAN QoS Queue Settings Click Networking QoS LAN QoS Classification MethodsMapping CoS to LAN Queue Mapping Dscp to LAN QueueLAN Queue CoS Value Click Networking QoS LAN QoS Mapping CoS to QueueConfiguring Wireless QoS Configuring Default CoSDefault Wireless QoS Settings 802.1p Priority 802.11e PriorityConfiguring Wireless QoS Classification Methods Click Networking QoS Wireless QoS Classification MethodsIeee 802.11e to 802.1p Mapping 802.11e Priority 802.1p PriorityMapping CoS to Wireless Queue Mapping Dscp to Wireless QueueUnderstanding Dscp Values Dscp Value Decimal Value MeaningConfiguring Igmp 011100 Click Networking IgmpConfiguring Vrrp Click Networking VrrpNetworking Configuring Addresses Configuring Addresses, Configuring Address Groups,Address Management Click Networking Address ManagementConfiguring Address Groups Service Management Configuring ServicesConfiguring Services, Configuring Service Groups, Click Networking Service ManagementConfiguring Service Groups Configuring Captive Portal RequirementsVlan Setup Before You BeginConfiguring a Captive Portal Wireless SetupUser Authentication Networking Networking Networking Troubleshooting Using External Web-Hosted CGI Scripts Networking Networking Networking Networking Networking Networking Networking Networking CGI Source Code Example No Authentication and Accept Button Networking Networking Networking Networking Networking If result == 2 result == 5 //document.form1.UserName.focus Networking Networking Related Information SupportDocumentation Cisco Small BusinessCisco Small Business Home Wireless for ISA550W and ISA570W only Viewing Wireless Status Viewing Wireless StatisticsWireless for ISA550W and ISA570W only Wireless Wireless Status Wireless StatusConfiguring the Basic Settings Viewing Wireless Client StatusClick Wireless Basic Settings Wireless for ISA550W and ISA570W only Configuring Ssid Profiles Configuring Wireless Security Security Mode DescriptionOpen WEP WPAWPA2 WPA + WPA2WPA/WPA2-Personal mixed Supports WPA/WPA2-Enterprise mixed SupportsWireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Controlling Wireless Access Based on MAC Addresses Configuring Ssid Schedule Mapping the Ssid to VlanConfiguring Wi-Fi Protected Setup Click Wireless Wi-Fi Protected SetupWireless for ISA550W and ISA570W only Configuring Captive Portal Requirements Configuring a Captive Portal Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Troubleshooting Using External Web-Hosted CGI Scripts Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only CGI Source Code Example No Authentication and Accept Button Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only If result == 2 result == 5 //document.form1.UserName.focus Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Related Information Configuring Wireless Rogue AP Detection Click Wireless Rogue AP DetectionAdvanced Radio Settings Click Wireless Advanced SettingsWireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Firewall About Security Zones FirewallSecurity Levels and Predefined Zones Description Default Firewall Settings Click Firewall Access Control Default PoliciesPreliminary Tasks for Configuring Firewall Rules Priorities of Firewall RulesGeneral Firewall Settings Click Firewall Access Control ACL RulesConfiguring a Firewall Rule Configuration Examples,Firewall Configuring a Firewall Rule to Allow Multicast Traffic MAC Address Filtering to Permit or Block Traffic,Configuring Firewall Logging Settings Configuring NAT Rules to Securely Access a Remote Network Viewing NAT Translation Status Firewall NAT NAT StatusPriorities of NAT Rules Inbound TrafficOutbound Traffic Configuring Dynamic PAT Rules Click Firewall NAT Dynamic PATConfiguring Static NAT Rules Click Firewall NAT Static NATConfiguring Port Forwarding Rules Click Firewall NAT Port ForwardingFirewall Configuring Port Triggering Rules Click Firewall NAT Port TriggeringConfiguring Advanced NAT Rules Click Firewall NAT Advanced NATConfiguring IP Alias for Advanced NAT rules As Any HttpConfiguring an Advanced NAT Rule to Support NAT Hairpinning From AnyDefault DefaultnetworkFTP-CONTROL WAN WAN1 WAN IP WAN1IPFirewall and NAT Rule Configuration Examples Allowing Inbound Traffic Using the WAN IP AddressEnable Port Forwarding Translated IP InternalFTPANY Allowing Inbound Traffic Using a Public IP Address RDPTranslated IP RDPServer WAN WAN1 WAN IPAddress Original Destination PublicIP Original Services Name NetmaskPort ZoneEnable Port Forwarding Create Firewall Rule Off CU-SEEMETranslated IP InternalIP Blocking Outbound Traffic by Schedule and IP Address Range Blocking Outbound Traffic to an Offsite Mail ServerSchedule Configuring Content Filtering to Control Internet Access Configuring Content Filtering Policy ProfilesClick Firewall Content Filtering Content Filtering Policies Configuring Website Access Control List Mapping Content Filtering Policy Profiles to Zones Click Firewall Content Filtering Policy to Zone MappingConfiguring Advanced Content Filtering Settings Click Firewall Content Filtering Advanced SettingsConfiguring MAC Address Filtering to Permit or Block Traffic Click Firewall MAC Filtering MAC Address FilteringConfiguring IP-MAC Binding to Prevent Spoofing Click Firewall MAC Filtering IP MAC Binding RulesConfiguring Attack Protection Click Firewall Attack ProtectionConfiguring Session Limits Click Firewall Session LimitsConfiguring Application Level Gateway Click Firewall Application Level GatewayFirewall Security Services About Security Services IPSActivating Security Services Priority of Security ServicesSecurity Services Dashboard Click Security Services DashboardViewing Security Services Reports Viewing Web Security Report Viewing IPS Report, Viewing Application Control Report,Viewing Anti-Virus Report Viewing Email Security Report Viewing Network Reputation Report System DateTotal Since Activated Total Last 7 DaysViewing IPS Report Total TodayGraph Viewing Application Control Report Configuring Anti-Virus General Anti-Virus Settings Click Security Services Anti-Virus General SettingsProtocol Action Notify + Drop Connection Drop the connectionHttp Notification, FTPNetbios Notification,Cifs Configuring Advanced Anti-Virus Settings Click Security Services Anti-Virus Advanced SettingsConfiguring Http Notification Configuring Email NotificationClick Security Services Anti-Virus Http Notification Click Security Services Anti-Virus Email NotificationUpdating Anti-Virus Signatures Configuring Application Control Updating Application Signature Database,Configuring Application Control Policies General Application Control Policy SettingsImportant Tips Adding an Application Control Policy Security Services Permitting or Blocking Traffic for an Application General Application Control Settings Enabling Application Control Service Mapping Application Control Policies to ZonesConfiguring Application Control Policy Mapping Rules Updating Application Signature Database Advanced Application Control Settings Click Update DatabaseConfiguring Spam Filter Click Security Services Spam FilterSecurity Services Configuring Intrusion Prevention Security Services Configuring Signature Actions Updating IPS Signature Database Configuring Web Reputation Filtering Click Security Services Web Reputation Filtering Configuring Web URL Filtering Configuring Web URL Filtering Policy Profiles Click Security Services Web URL Filtering Policy ProfileConfiguring Website Access Control List Configuring Advanced Web URL Filtering Settings Click Security Services Web URL Filtering Advanced SettingsMapping Web URL Filtering Policy Profiles to Zones Security Services Network Reputation VPN About VPNs Viewing VPN Status Viewing IPsec VPN StatusViewing IPsec VPN Status, Viewing SSL VPN Status, VPN VPN Status IPsec VPN StatusField Description Viewing SSL VPN Status VPN VPN Status SSL VPN StatusSSL VPN Statistics VPN Configuring a Site-to-Site VPN Site-to-Site VPNConfiguration Tasks to Establish a Site-to-Site VPN Tunnel General Site-to-Site VPN SettingsClick VPN Site-to-Site IPsec Policies VPN Configuring IPsec VPN Policies VPN VPN VPN 283058 VPN Click VPN Site-to-Site IKE Policies VPN Configuring Transform Sets Click VPN Site-to-Site Transform PoliciesRemote Teleworker Configuration Examples Field SettingRemote Network IKE PolicyName Enable From TransformDestination Address Translated Services Address TranslatedConfiguring IPsec Remote Access Cisco VPN Client Compatibility Then choose Cisco VPN ClientEnabling IPsec Remote Access Configuring IPsec Remote Access Group PoliciesClick VPN IPsec Remote Access VPN VPN Allowing IPsec Remote VPN Clients to Access the Internet IKE AuthenticationGroup Name WAN InterfaceMode Client Pool Range for Client Start IP Client Internet Disable Access WAN FailoverName VPNClienttoWAN1 Enable From Any LANName VPNClienttoWAN2 Enable From Any WAN2WAN2IP Configuring Teleworker VPN Client Translated Any Destination Address Translated ServicesRequired IPsec VPN Servers Transform SetBenefits of the Teleworker VPN Client Feature Modes of OperationClient Mode, Client Mode Network Extension Mode,Network Extension Mode IPsec VPN Network Extension ConnectionGeneral Teleworker VPN Client Settings Click VPN Teleworker VPN ClientConfiguring Teleworker VPN Client Group Policies VPN VPN Configuring SSL VPN SSL Remote User Access Elements of the SSL VPNConfiguration Tasks to Establish a SSL VPN Tunnel Installing Cisco AnyConnect Secure Mobility Client Importing Certificates for User Authentication Configuring SSL VPN UsersConfiguring SSL VPN Gateway Click VPN SSL Remote User Access SSL VPN ConfigurationClient Netmask Client Address Pool VPN Configuring SSL VPN Group Policies Click VPN SSL Remote User Access SSL VPN Group PoliciesVPN VPN Accessing SSL VPN Portal Allowing SSL VPN Clients to Access the InternetEnable From Any Name SSLVPNtoWAN1 Enable From AnyAddress Original Destination Any Original Services SslvpnaddresspoolName SSLVPNtoWAN2 Enable From Any Configuring L2TP Server Click VPN L2TP ServerService Configuring VPN Passthrough Click VPN VPN PassthroughViewing Active User Sessions Users Active User SessionsConfiguring Users and User Groups Default User and User GroupAvailable Services for User Groups User ManagementPreempt Administrators Configuring Local UsersClick Users Users and Groups Configuring Local User Groups User Management Configuring User Authentication Settings Using Local Database for User Authentication Using Radius Server for User AuthenticationClick Users User Authentication Local Database Settings Radius Server Settings Local Radius Server Settings Database Click Users User Authentication Using Ldap for User Authentication User Management Using Local Database and Ldap for Authentication Configuring Radius Servers Click Users Radius ServersUser Management Device Management Viewing System Status Viewing Process StatusViewing Resource Utilization Administration Configuring Administrator Settings Example https//209.165.201.18080 Configuring Email Alert Settings Click Device Management Administration Email Alert Event Description CPU Overload AlertNew Firmware Alert Your Firmware from Cisco.com,Settings page. See Configuring Log Settings, Security License,Log Facilities, Check Site-to-Site VPN Up/Down Alert in the Enable column Up/Down AlertWAN Up/Down Alert Traffic Meter Alert Anti-Virus AlertSettings. See Configuring Application Control, IPS AlertConfiguring Snmp Click Device Management Administration SnmpBacking Up and Restoring a Configuration Click Device Management Backup/RestoreDevice Management Managing Certificates for Authentication Viewing Certificate Status and Details Click Device Management Certificate ManagementExporting Certificates to Your Local PC Certificate Type DetailsExporting Certificates to a USB Device Importing Certificates from Your Local PCImporting Certificates from a USB Device Generating New Certificate Signing RequestsImporting Signed Certificate for CSR from Your Local PC Configuring Cisco Services and Support Settings Configuring Cisco OnPlus Configuring Remote Support Settings Sending Contents for System DiagnosisConfiguring System Time Click Device Management Date and TimeConfiguring Device Properties Diagnostic UtilitiesClick Device Management Device Properties Ping, Traceroute, DNS Lookup, Packet Capture,Click Device Management Diagnostic Utilities Ping Click Device Management Diagnostic Utilities TraceroutePing TracerouteDevice Discovery Protocols DNS LookupPacket Capture UPnP Discovery, Bonjour Discovery, CDP Discovery,UPnP Discovery Lldp Discovery,Click Device Management Discovery Protocols UPnP Bonjour Discovery CDP DiscoveryClick Device Management Discovery Protocols Bonjour Click Device Management Discovery Protocols CDPLldp Discovery Click Device Management Discovery Protocols LldpFirmware Management View the firmware status. See Viewing Firmware Information,Using the Secondary Firmware Firmware Version area, click Switch FirmwareViewing Firmware Information Click Device Management FirmwareUpgrading your Firmware from Cisco.com Upgrading Firmware from a PC or a USB Device Using Rescue Mode to Recover the System Firmware Auto Fall Back MechanismManaging Security License Checking Security License Status Click Device Management License ManagementInstalling or Renewing Security License Log Management Viewing LogsClick Device Management Logs View Logs Click Query Configuring Log Settings Click Device Management Logs Log SettingsSeverity Level Description Emergency levelCritical level Notification levelDevice Management Configuring Log Facilities Click Device Management Logs Logs FacilitiesRebooting and Resetting the Device Click Device Management Reboot/ResetReset Device area, click Reset to Factory Defaults Configuring Schedules Rebooting the Security ApplianceClick Device Management Schedules Device Management Device Management Device Management Internet Connection Recommended ActionsTroubleshooting Click Status DashboardRecommended Actions Click Networking WAN WAN Settings Enable the Daylight Saving Time Adjustment feature Date and TimeDate and Time Testing the LAN Path from Your PC to Your Security Appliance Pinging to Test LAN ConnectivityTesting the LAN Path from Your PC to a Remote Device Feature ISA550 ISA570Internal Power Supply Physical SpecificationsFeature Setting Remote AdministrationDevice Management Factory Default Settings SnmpCDP LldpUser Management User GroupsLocal Users User Authentication Methods NetworkingIPv4 or IPv6 Routing Network Addressing ModesPort-based Access Control WAN Redundancy Operation ModesVLANs Zones RoutingLAN QOS VrrpWireless Wi-Fi Protected Setup WPS Rogue AP DetectionCaptive Portal IKE PoliciesIPsec Remote Access SSL VPNSecurity Services Features SettingFirewall Content Filtering NATMAC Address Filtering IP MAC BindingReports Default Service Objects Service Name Protocol Port Description Start EndFTP-DATA TCP IKE UDP Rtelnet TCP Default Address Objects Address Name Type IP, IP/Netmask, or IP RangeProduct Resources SupportProduct Documentation Cisco Small Business