Rules

Each firewall policy contains a set of rules, and the rules establish the logic of the firewall policy. Rules are added to a policy in sequential order, the only exception being for syslog or NetFlow rules. These two rules have an optional position indicator to place the rule at the top or bottom of the rule chain. A rule’s action can be one of the following: Accept, Reject, Port Forward, NetFlow Log, Syslog Log, Exclude, or Related/Established. The Related/Established action allows the Customer Account Administrator to set up firewall rules so that responses to traffic initiated by the VLAN are allowed, but unsolicited traffic to the VLAN is not.

Rules allow traffic to be classified by the following:

  • Protocol
  • Adapter (Internet, Local, Tunnel or ALL)
  • Direction (Inbound/Outbound/Outbound Traffic Forward (‘T’)/Inbound Traffic Forward (‘Z’)/Both)
  • Source/Destination IP Address and Mask -OR- VLAN ID –OR- MAC Address
  • Source/Destination Port Range
  • Forwarding Address/Port
  • SYN Allowed
  • ICMP type
  • DSCP bits (Class of Service markings)
  • Syslog or NetFlow Logging specified on an Accept/Reject type rule
  • Custom Syslog logging rule label, sent via remote syslog

The Direction of Traffic allows rules that apply only to traffic flowing THROUGH the VPN Gateway from the LAN towards the Internet/VPN interfaces and NOT to traffic originating on the VPN Gateway. (i.e. you can block FTP traffic from LAN devices from going to the Internet without preventing the VPN Gateway itself to use FTP for code updates). This also allows control of HTTPS traffic that cannot be configured through simple Web URL Filter rules. (The traffic forward rule is different from the existing forward rule which is used to define port forwarding rules).

The firewall Direction of Inbound Traffic Forwarding is a rule with the opposite direction of Traffic Forwarding, referencing traffic from the Internet/VPN interfaces towards the LAN. This rule type is specifically needed to permit traffic in from the Internet towards a No-NAT VLAN.

Usually when an Inbound or Outbound rule is in use a corresponding rule is always created in the FORWARD chain. The Customer Account Administrator can bypass this logic, which prevents the corresponding rule from being created in the FORWARD chain.

Firewall rules can be assigned to source or destination VLAN IDs (instead of source and destination IP Addresses) in the AT&T Administration Server and assigned to all VPN Gateway devices using that VLAN ID in an AT&T Administration Server Account or Model.

Firewall connection tracking information is logged on the VPN Gateway, and the Firewall rule status is displayed on the Advanced Information page of the VPN Gateway web interface. Depending on your firewall configuration, the log file may fill and drop connection packet information, complicating troubleshooting and problem determination. A warning is displayed in the Firewall Rules section of the Advanced Information page when the log file is 90%+ full.

With firewall rules for remote syslog logging a PRI (Priority Value) is supported. In the AT&T Administration Server configuration the optional Facility and Severity values are used to calculate the PRI, which is sent as a field in the remote syslog messages.