Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add Terms to Firewall Filters

 

Use the Firewall-Filter-Name page to add a firewall term that controls the ingress and egress traffic. The traffic is classified by matching its source and destination IP addresses (for Layer 3), MAC addresses (for Layer 2), ports, or protocols.

To configure a firewall term:

  1. Select Configuration > SD-LAN > Firewall Filters.

    The EX Firewall Filters page appears.

  2. Click the firewall filter to which you want to add the term.

    The Firewall-Filter-Term-Name page appears.

  3. Click the add icon (+).

    The option to create firewall term appears inline on the Firewall-Filter-Term-Name page.

  4. Complete the configuration according to the guidelines provided in Table 1.
  5. Click Save to save the changes. If you want to discard your changes, click Cancel instead.

If you click Save, a new firewall term with the provided configuration is added and a confirmation message is displayed.

If a firewall filter contains multiple terms, then, by default, the new term is always added at the top of the list of terms in the Firewall-Filter-Term-Name page. The term that is at the top of the list has higher priority than the others in the list. You can re-order the term by dragging and dropping the term at a different level in the list.

Table 1: Fields on the <Firewall-Filter-Term-Name> Page

Field

Description

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 255 characters. If you do not enter a name, the term is saved with a default name assigned by CSO.

Description

Enter a description for the firewall filter term; maximum length is 1024 characters.

Counter

Click the toggle button to enable (default) or disable the counter. The counter counts the number of packets that pass this filter term.

Note: If you have enabled counter for the firewall filter, you cannot add the firewall filter as an egress filter.

Logging

Click the toggle button to enable (default) or disable logging. By enabling logging, CSO logs the packet's header information in the Routing Engine.

Note: If you have enabled logging for the firewall filter, you cannot add the firewall filter as an egress filter.

Source

Click the add icon (+) to select the source endpoints from the displayed list of IP addresses, MAC addresses, protocols, or ports to the firewall filter term. You can also select a source end point using the methods described in Selecting Firewall Source.

Destination

Click the add icon (+) to select the destination endpoints from the displayed list of IP addresses, MAC addresses, protocols, or ports to the firewall filter term. You can also select a destination end point using the methods described in Selecting Firewall Destination.

Select Action

Click the add icon (+) to choose whether you want to permit or deny the traffic between the source and destination endpoints.

  • Allow—Device permits the traffic.

  • Deny—Device silently drops all packets for the session.

Endpoints

To add an endpoint to the source or destination:

  1. Click Select Source or Select Destination text box and then click the lesser-than icon on the right side of the page to open the End Points panel.

    The End Points panel displays the endpoints from addresses, MAC, protocols, and ports relevant to the source or destination based on your selection.

    Note: You can also search for a specific end point using the search option.

  2. Select the endpoint you want to add and click the check mark icon () to add it the source or destination.

    The selected endpoint is added to the source or destination.

To add new source and destination end points:

  1. Click the less-than icon (<) on the right side of the page to open the End Points panel.

  2. Click the add icon (+) on the top right of the End Points panel.

    A list of endpoints that you can add is displayed.

  3. Select the endpoint you want to add.

    You can add the following endpoints:

  4. Click Save to add the new endpoint.

    The endpoint that you created is listed in the End Points panel.

  5. Select the endpoint that you want to add to the source or destination, and click on the check mark icon ().

    The endpoint is added to the source or destination as specified.

WHAT'S NEXT

After adding terms to the firewall filter, assign the firewall filter as an ingress filter or egress filter in port profiles. See Add Port Profiles.