Kaspersky SD-WAN
2.3
English

Contents

Managing firewall zones

You can view the table of common firewall zones or the table of firewall zones on the CPE device:

  • To display the table of common firewall zones, go to the SD-WAN → Firewall zones menu section.
  • To display the table of firewall zones on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Firewall → Zones tab.

The following firewall zones are created by default:

  • wan (WAN firewall zone) is the firewall zone for network interfaces that are connected to the WAN, for example, to the internet or the service provider network. Masquerading is enabled in the settings of the firewall WAN zone to replace the source IP address of outbound traffic packets from the firewall zone with the IP address assigned to the egress network interface.
  • lan (LAN firewall zone) is the firewall zone for network interfaces that are connected to the LAN.
  • mgmt (management firewall zone) is the firewall zone for the network interface that is used for passive monitoring of the CPE device by the Zabbix monitoring system, as well as for the SSH connection of the orchestrator to the CPE device.

You cannot delete the default firewall zones or create firewall zones with the same names.

When you upgrade Kaspersky SD-WAN from version 2.1 to 2.2, the following changes are made in the settings of all CPE templates:

  • sdwan<0–4> network interfaces are automatically added to the WAN zone of the firewall.
  • lan, br-lan, and overlay network interfaces are automatically added to the LAN zone of the firewall.

Information about common firewall zones is displayed in the following columns of the table:

The actions that you can perform with the table are described in the Managing solution component tables instructions.

Information about firewall zones on the CPE device is displayed in the following columns of the table:

  • Name is the name of the firewall zone.
  • Settings contains the actions that the firewall applies to traffic packets.
  • Network interfaces/Networks are network interfaces and subnets that have been added to the firewall zone.

In this section

Creating a firewall zone

Cloning a firewall common zone

Viewing the usage of a firewall common zone

Editing a firewall zone

Deleting a firewall zone
Page top
[Topic 270021]

Creating a firewall zone

You can create a common firewall zone or a firewall zone on the CPE device.

To create a firewall zone:

  1. Create a firewall zone in one of the following ways:
    • If you want to create a common firewall zone, go to the SD-WAN → Firewall zones section and in the upper part of the page, click + Firewall zone.
    • If you want to create a firewall zone on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall → Zones tab, select the Override check box, and click + Firewall zone.

    A table of firewall zones is displayed.

  2. This opens a window; in that window, in the Name field, enter the name of the firewall zone. The maximum length of the name is 255 characters.
  3. In the Input drop-down list, select the action that the firewall applies to inbound traffic packets:
    • ACCEPT to accept traffic packets. Default value.
    • DROP to drop traffic packets.
    • REJECT to reject traffic packets with an icmp-reject message.
  4. In the Output drop-down list, select the action that the firewall applies to outbound traffic packets:
    • ACCEPT to accept traffic packets. Default value.
    • DROP to drop traffic packets.
    • REJECT to reject traffic packets with an icmp-reject message.
  5. In the Forwarding drop-down list, select the action that the firewall applies to traffic packets forwarded between network interfaces and subnets:
    • ACCEPT to accept traffic packets. Default value.
    • DROP to drop traffic packets.
    • REJECT to reject traffic packets with an icmp-reject message.
  6. If you want to enable masquerading to replace the source IP address of outbound traffic packets from the firewall zone with the IP address assigned to the egress network interface:
    1. Select the Masquerading check box. This check box is cleared by default.
    2. If you want to replace the source IP address only for traffic packets with the specified source subnet, under Masquerading source subnets, click + Add and enter the source IPv4 subnet prefix.

      The subnet is specified and displayed under Masquerading source subnets. You can specify multiple subnets or remove a subnet. To delete a subnet, click the delete icon cross_icon_3 next to it.

    3. If you want to replace the destination IP address only for traffic packets with the specified source subnet, under Masquerading destination subnets, click + Add and enter the destination IPv4 subnet prefix.

      The subnet is specified and displayed under Masquerading destination subnets. You can specify multiple subnets or delete a subnet. To delete a subnet, click the delete icon cross_icon_3 next to it.

  7. Clear the MSS clamp to PMTU check box if you do not want the firewall to limit the Maximum Segment Size (MSS) of traffic packets relayed through the firewall zone to the Path Maximum Transmission Unit (PMTU) value minus 40. The purpose of subtracting 40 is to exclude the size of the TCP header. This check box is selected by default.
  8. If you want the firewall to keep a log of traffic packets dropped in the firewall zone, select the Drops logging check box. If logs created on a CPE device are sent to a Syslog server, you can view the logs on the Syslog server. If logs created on the CPE device are stored locally, you can view the logs by requesting diagnostic information. This check box is cleared by default.
  9. If network interfaces are connected to L3 switches or routers, and you want to relay traffic packets from subnets of these L3 switches or routers, add a subnet to the firewall zone. To do so, under Networks, click + Add and enter an IPv4 subnet prefix.

    The subnet is added and displayed under Networks. You can add multiple subnets or delete a subnet. To delete a subnet, click the delete icon cross_icon_3 next to it.

  10. Click Create.

    The firewall zone is created and displayed in the table.

  11. If you have created a firewall zone on a CPE device, click Save in the upper part of the settings area to save the CPE device settings.

You must add network interfaces to the created firewall zone. You can do this when creating or editing a network interface. If you created a firewall zone on a CPE device, the network interfaces that you add to the firewall zone must be created on the same CPE device.

Page top
[Topic 270039]

Cloning a firewall common zone

You can clone the created common firewall zone to create an identical common firewall zone with a different name. Cloning firewall zones on a CPE device is not supported.

To clone a common firewall zone:

  1. In the menu, go to the SD-WANFirewall zones section.

    A table of common firewall zones is displayed.

  2. Click the common firewall zone which you want to clone.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon expand_panel_up_icon_2.

  3. In the upper part of the settings area, under Actions, click Clone.
  4. This opens a window; in that window, enter a name for the new common firewall zone.
  5. Click Clone.

A clone of the common firewall zone with the new name is created and displayed in the table.

Page top
[Topic 270108]

Viewing the usage of a firewall common zone

If necessary, you can see which firewall templates, CPE templates, and CPE devices are using the common firewall zone. For example, if the common firewall zone is in use, it cannot be deleted.

To see if the common firewall zone is being used:

  1. In the menu, go to the SD-WANFirewall zones section.

    A table of common firewall zones is displayed.

  2. Click the common firewall zone whose usage you want to view.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon expand_panel_up_icon_2.

  3. In the upper part of the settings area, under Actions, click Show usage.

This opens a window with a table of firewall templates, CPE templates, and CPE devices that are using the common firewall zone.

Page top
[Topic 270109]

Editing a firewall zone

You can edit a common firewall zone or a firewall zone on the CPE device.

Editing a common firewall zone

When you edit a common firewall zone, the new settings are applied to all CPE devices that use the common firewall zone. This can overload the orchestrator if the number of CPE devices is large.

To edit a common firewall zone:

  1. In the menu, go to the SD-WANFirewall zones section.

    A table of common firewall zones is displayed.

  2. Click the common firewall zone which you want to edit.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon expand_panel_up_icon_2.

  3. If necessary, edit the settings of the common firewall zone. For a description of the settings, see the instructions for creating a firewall zone.
  4. In the upper part of the settings area, click Save to save the settings of the common firewall zone.

    This opens a confirmation window with the number of CPE devices to which the new common firewall zone settings will be applied.

  5. Click Yes, change.

The common firewall zone is modified and updated in the table.

Editing a firewall zone on a CPE device

To edit a firewall zone on a CPE device:

  1. In the menu, go to the SD-WAN → CPE section.

    A table of CPE devices is displayed.

  2. Click the CPE device on which you want to edit the firewall zone.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon expand_panel_up_icon_2. By default, the Configuration tab is selected, which displays general information about the CPE device. This tab also displays the table of Out-of-band management tasks being performed by the orchestrator.

  3. Select the Firewall → Zones tab.

    A table of firewall zones is displayed.

  4. Select the Override check box.
  5. Click Edit next to the firewall zone that you want to edit.
  6. This opens a window; in that window, if necessary, edit the firewall zone settings. For a description of the settings, see the instructions for creating a firewall zone.
  7. Click Save.

    The firewall zone is modified and updated in the table.

  8. In the upper part of the settings area, click Save to save CPE device settings.
Page top
[Topic 270269]

Deleting a firewall zone

You can delete a common firewall zone or a firewall zone on the CPE device.

Deleted firewall zones cannot be restored.

Deleting a firewall common zone

You cannot delete a common firewall zone if it is being used by at least one firewall template, CPE template, or CPE device. To delete a common firewall zone that is used by firewall templates, CPE templates, or CPE devices, you must first remove the common firewall zone from their settings. You can see which firewall templates, CPE templates, and CPE devices are using the common firewall zone.

To delete a common firewall zone:

  1. In the menu, go to the SD-WANFirewall zones section.

    A table of common firewall zones is displayed.

  2. Click the common firewall zone which you want to delete.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon expand_panel_up_icon_2.

  3. In the upper part of the settings area, under Actions, click Delete.
  4. In the confirmation window, click Delete.

The common firewall zone is deleted and is no longer displayed in the table.

Deleting a firewall zone on a CPE device

To delete a firewall zone on a CPE device:

  1. In the menu, go to the SD-WAN → CPE section.

    A table of CPE devices is displayed.

  2. Click the CPE device on which you want to delete the firewall zone.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon expand_panel_up_icon_2. By default, the Configuration tab is selected, which displays general information about the CPE device. This tab also displays the table of Out-of-band management tasks being performed by the orchestrator.

  3. Select the Firewall → Zones tab.

    A table of firewall zones is displayed.

  4. Select the Override check box.
  5. Click Delete next to the firewall zone that you want to delete.
  6. In the confirmation window, click Delete.

    The firewall zone is deleted and is no longer displayed in the table.

  7. In the upper part of the settings area, click Save to save CPE device settings.
Page top
[Topic 270107]