HP X Unified Security Platform Configuring Firewall Rules, Advanced Options

How Firewall Rule Enforcement Works

Configuring Firewall Rules

When configuring a firewall rules, you must define the action, logging options and other components that make up the rule. Before you can configure the firewall rule, the components should be configured so that they are available for selection during the configuration process. The following describes the firewall rule components:

•Action — This is a required component that determines how the X family device manages packets when the firewall rule is matched. You can configure the firewall to Permit, Block, or perform web filtering on traffic that matches the firewall rule.

•Services — When you configure a firewall rule, you must select the service or service group to which it will be applied. The device provides predefined services which are applications known to the device such as HTTP, HTTPS, and DNS. You can also configure custom services to manage any IP protocol. For details on configuring services and service groups, see “Firewall Services” on page 75.

•Source and Destination Address — All firewall rules must specify the source and destination addresses of the devices to which the firewall rule applies. This is specified using Security Zones. If necessary, you can limit the rule to apply to certain IP addresses within a security zone. For details on setting up Security Zones, see “Security Zone Configuration” on page 135.

•IP Addresses — To limit the firewall rule to apply only to certain devices within a Security Zone, you can specify an IP address group, IP Subnet, or IP address range. For IP Address Group configuration details, see “IP Address Groups” on page 153. The default IP address setting for the source and destination zones is to apply the firewall rule to all IP addresses within the zone.

•Schedules — Optionally, you can configure the firewall rule to only be applied during certain days and times using the Schedule component. For details on configuring schedules, see “Schedules” on page 79.

•Logging Options — Determines whether the X family device creates a log entry when the firewall rule is triggered. For example, if local logging is enabled on a firewall that blocks traffic, the device generates an entry in the Firewall Block log. If remote logging is enabled, the device generates an entry and sends it to the Remote Syslog server or Syslog Server configured on the device. If logging is enabled on a firewall permit rule, the device generates a session start and session end log entry in the Firewall Session Log. For details on the syslog servers, see “Configuring Remote System Logs” on page 105. When you create a firewall rule, logging is disabled by default.

Advanced Options

When creating or editing a firewall rule, you can configure advanced options to enable Bandwidth Management and User Authentication for the firewall rule:

•Bandwidth Management — If this option is selected, you can define the guaranteed and maximum bandwidth available for your sessions, to apply the guaranteed bandwidth on a per session or per rule basis, and to prioritize the bandwidth for a session.

•User Authentication — If this option is selected, the rule will only be applied if the rule otherwise matches the selection (correct service and IP address, for example), and a local user with appropriate matching privileges has previously authenticated with the X family device. This authentication may be the result of logging in via the SSH or HTTPS interfaces, or by using a VPN client terminating on