Firewall settings
You can configure firewall settings at a site level. These settings provide security to all the SD-WAN appliances on a specific site.
The following are the instructions to configure the Site-specific override firewall settings:
-
At the site level, navigate to Configuration > Advanced settings > Firewall settings.
-
Select the Site Specific Override option from the Override Firewall Settings drop-down menu. This action applies the defined firewall rules on a specific site.
Note
If you want to switch from site-specific setting to a global default setting, select the Global Defaults option from the drop-down list. This action removes the site-specific configuration and retains the global specific defaults.
-
Action When No Firewall Rules Match: Select an action (Allow or Drop) from the drop-down list for the packets that do not match a Firewall policy.
-
Default Connection State Tracking: Enables directional connection state tracking for TCP, UDP, and ICMP flows that do not match a filter policy or NAT rule.
-
Source Route Validation: When you select this check box, packets are dropped when they are received on an interface that is different from the packet’s route, as determined by the source IP address.
-
FTP ALG: When you select this check box, the FTP ALG (Application layer gateway) monitors connections on TCP port 21 and updates FTP messages with the appropriate NAT IP addresses.
-
Max Connections per Source: Maximum number of non-established connections that each source IP address can allow. By default, each source IP address allows an unlimited number of non-established connections.
-
Max New Connections per Source: Maximum number of connections that each source IP address can allow. By default, each source IP address allows unlimited number of connections.
-
Use Global Connection Timeouts: When you select this check box, SD-WAN enables the global timeout settings. To configure specific timeout settings, clear this check box.
- Denied Timeout (s): Time (in seconds) to wait for new packets before closing denied connections.
- TCP Initial Timeout (s): Time (in seconds) to wait for new packets before closing an incomplete TCP session.
- TCP Idle Timeout (s): Time (in seconds) to wait for new packets before closing an active TCP session.
- TCP Closing Timeout: Time (in seconds) to wait for new packets before closing a TCP session after a terminate request.
- TCP Time Wait Timeouts (s): Time (in seconds) to wait for new packets before closing a terminated TCP session.
- TCP Closed Timeout (s): Time (in seconds) to wait for new packets before closing an aborted TCP session.
-
-
Click Save.