Add Terms to Firewall Filters

Use the Firewall-Filter-Name page to add a firewall term that controls the ingress and egress traffic. The traffic is classified by matching its source and destination IP addresses (for Layer 3), MAC addresses (for Layer 2), ports, or protocols.

To configure a firewall term:

Select Configuration > SD-LAN > Firewall Filters.
The EX Firewall Filters page appears.
Click the firewall filter to which you want to add the term.
The Firewall-Filter-Term-Name page appears.
Click the add icon (+).
The option to create firewall term appears inline on the Firewall-Filter-Term-Name page.
Complete the configuration according to the guidelines provided in Table 1.
Click Save to save the changes. If you want to discard your changes, click Cancel instead.

If you click Save, a new firewall term with the provided configuration is added and a confirmation message is displayed.

If a firewall filter contains multiple terms, then, by default, the new term is always added at the top of the list of terms in the Firewall-Filter-Term-Name page. The term that is at the top of the list has higher priority than the others in the list. You can re-order the term by dragging and dropping the term at a different level in the list.

Table 1: Fields on the <Firewall-Filter-Term-Name> Page

Field	Description
Name	Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 255 characters. If you do not enter a name, the term is saved with a default name assigned by CSO.
Description	Enter a description for the firewall filter term; maximum length is 1024 characters.
Counter	Click the toggle button to enable (default) or disable the counter. The counter counts the number of packets that pass this filter term. Note: If you have enabled counter for the firewall filter, you cannot add the firewall filter as an egress filter.
Logging	Click the toggle button to enable (default) or disable logging. By enabling logging, CSO logs the packet's header information in the Routing Engine. Note: If you have enabled logging for the firewall filter, you cannot add the firewall filter as an egress filter.
Source	Click the add icon (+) to select the source endpoints from the displayed list of IP addresses, MAC addresses, protocols, or ports to the firewall filter term. You can also select a source end point using the methods described in Selecting Firewall Source.
Destination	Click the add icon (+) to select the destination endpoints from the displayed list of IP addresses, MAC addresses, protocols, or ports to the firewall filter term. You can also select a destination end point using the methods described in Selecting Firewall Destination.
Select Action	Click the add icon (+) to choose whether you want to permit or deny the traffic between the source and destination endpoints. Allow—Device permits the traffic. Deny—Device silently drops all packets for the session.
Endpoints	To add an endpoint to the source or destination: Click Select Source or Select Destination text box and then click the lesser-than icon on the right side of the page to open the End Points panel. The End Points panel displays the endpoints from addresses, MAC, protocols, and ports relevant to the source or destination based on your selection. Note: You can also search for a specific end point using the search option. Select the endpoint you want to add and click the check mark icon (√) to add it the source or destination. The selected endpoint is added to the source or destination. To add new source and destination end points: Click the less-than icon (<) on the right side of the page to open the End Points panel. Click the add icon (+) on the top right of the End Points panel. A list of endpoints that you can add is displayed. Select the endpoint you want to add. You can add the following endpoints: Address or address group. See Creating Addresses or Address Groups. MAC address. See Add a MAC Address Endpoint. Protocol. See Add a Protocol Endpoint. Port. See Add a Port Endpoint. Click Save to add the new endpoint. The endpoint that you created is listed in the End Points panel. Select the endpoint that you want to add to the source or destination, and click on the check mark icon (√). The endpoint is added to the source or destination as specified.

WHAT'S NEXT

After adding terms to the firewall filter, assign the firewall filter as an ingress filter or egress filter in port profiles. See Add Port Profiles.