Understanding Firewall Policies
A user role, which determines a client’s network privileges, is defined by one or more firewall policies. A firewall
policy consists of rules that define the source, destination, and service type for specific traffic, and whether you
want the switch to permit or deny traffic that matches the rule.
You can configure firewall policies for IPv4 traffic or IPv6 traffic, and apply IPv4 and IPv6 firewall policies to the
same user role. For example, if you have employees that use both IPv4 and IPv6 clients, you can configure
both IPv4 and IPv6 firewall policies and apply them both to the “employee” user role.
The procedure to configure an IPv6 firewall policy rule is similar to configuring a firewall policy rule for IPv4
traffic, but with some differences. Table 18 describes the required and optional parameters for an IPv6 firewall
policy rule.
Field Description
Source
(required)
Source of the traffic:
n any: Acts as a wildcard and applies to any source address.
n user: This refers to traffic from the wireless client.
n host: This refers to traffic from a specific host. When this option is chosen, you must
configure the IPv6 address of the host. For example,
2002:d81f:f9f0:1000:c7e:5d61:585c:3ab.
n network: This refers to a traffic that has a source IP from a subnet of IP addresses.
When you chose this option, you must configure the IPv6 address and network mask of
the subnet. For example, 2002:ac10:fe:: ffff:ffff:ffff::.
n alias: This refers to using an alias for a host or network.
NOTE: This release does not support IPv6 aliases. You cannot configure an alias for an IPv6
host or network.
Destination
(required)
Destination of the traffic, which you can configure in the same manner as Source.
Service
(required)
NOTE: Voice over IP services are unavailable for IPv6 policies.
Type of traffic:
n any: This option specifies that this rule applies to any type of traffic.
n tcp: Using this option, you configure a range of TCP port(s) to match the rule to be
applied.
n udp: Using this option, you configure a range of UDP port(s) to match the rule to be
applied.
n service: Using this option, you use one of the pre-defined services (common protocols
such as HTTPS, HTTP, and others) as the protocol to match the rule to be applied. You
can also specify a network service that you configure by navigating to the
Configuration > Advanced Services > Stateful Firewall > Network Services page.
n protocol: Using this option, you specify a different layer 4 protocol (other than
TCP/UDP) by configuring the IP protocol value.
Action
(required)
The action that you want the switch to perform on a packet that matches the specified
criteria.
n permit: Permits traffic matching this rule.
n drop: Drops packets matching this rule without any notification.
NOTE: The only actions for IPv6 policy rules are permit or deny; in this release, the switch
cannot perform network address translation (NAT) or redirection on IPv6 packets. You can
specify options such as logging, mirroring, or blacklisting (described below).
Log (optional) Logs a match to this rule. This is recommended when a rule indicates a security breach,
such as a data packet on a policy that is meant only to be used for voice calls.
Table 39: IPv6 Firewall Policy Rule Parameters
AOS-W 6.5.3.x | User Guide IPv6 Support | 152
To Next Page
Loading...