Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Priorities for Stateless or Stateful Firewall Services

    If you design services to be accessed from Enterprise Manager Portal, you can configure ranges of priority values that are enterprise specific and ranges that are available to a number of enterprises. Setting the two ranges makes it possible for a service provider to specify firewall exceptions that an IT manager in an enterprise cannot override.

    Configuring Priorities to Have Enterprise Services Work Together

    You can configure the parameters in the following list as global parameters that apply to all subscribers, and as subscriber-specific parameters. If you configure both, the global range takes precedence over a subscriber-specific limit.

    • fwMinPriority—Specifies the lower limit of the range of precedences available for subscriptions to firewall exceptions.
    • fwMaxPriority—Specifies the upper limit of the range of precedences available for subscriptions to firewall exceptions.
    • fwEnterpriseMinPriority—Specifies the lower limit of the range of precedences that an enterprise-specific manager can make available for subscriptions to firewall exceptions.
    • fwEnterpriseMaxPriority—Specifies the upper limit of the range of precedences that an enterprise-specific manager can make available for subscriptions to firewall exceptions.

    Ensure that:

    • fwMaxPriority is greater than or equal to fwEnterpriseMaxPriority
    • fwEnterpriseMaxPriority is greater than fwEnterpriseMinPriority
    • fwEnterpriseMinPriority is greater than or equal to fwMinPriority

    Configuring Priorities for Individual Scopes by Defining Them in Services

    You can use parameters to limit priority ranges for services within a scope. For stateful firewall services, you set parameters to limit priority ranges in the FirewallRule service. For stateless firewall services, you set parameters to limit priority ranges in the FRW_Filter_Both service.

    You can use parameters to limit priority ranges for services within a scope in addition to using global ranges. For example, you can define a global range, and then define a different range that overrides the global range for specified subscribers.

    To allow priority values for services in one scope to override the priority values for services in another scope:

    1. In a service that resides in a service scope that has a low precedence (indicated by a higher number), define default values for parameters that limits a priority range.
    2. Attach this scope to an entry at a high level in the subscriber folder; for example, to a retailer.
    3. Create a second scope that has a higher precedence.
    4. Create a service that uses parameters to limit priority ranges in the second scope.
    5. Attach the second scope (which has a higher precedence) to the enterprise.

    The services with the higher precedence override the services with a lower precedence.

    Using Stateless Firewall and BoD Applications Together

    In most cases, you can use the services listed in table Stateless Firewall Services in Sample Data in Reviewing Services for Exceptions to Stateless Firewalls to provide bandwidth management and firewall support. However, if you want to design special services to have firewalls work with BoD services, use the following guidelines to design your services:

    • Specify a higher priority in the BoD policies.
    • Specify next–rule actions for the BoD policies.

    After all the BoD policy rules are applied, the stateless firewall policy rules are applied. Packets are forwarded or dropped as appropriate.

    Published: 2014-06-19