Citrix SD-WAN Orchestrator

Firewall settings

July 29, 2021

Contributed by:

You can configure firewall settings at a site level. These settings provide security to all the SD-WAN appliances on a specific site.

The following are the instructions to configure the Site-specific override firewall settings:

At the site level, navigate to Configuration > Advanced settings > Firewall settings.
Select the Site Specific Override option from the Override Firewall Settings drop-down menu. This action applies the defined firewall rules on a specific site.

Note

If you want to switch from site-specific setting to a global default setting, select the Global Defaults option from the drop-down list. This action removes the site-specific configuration and retains the global specific defaults.
- Action When No Firewall Rules Match: Select an action (Allow or Drop) from the drop-down list for the packets that do not match a Firewall policy.
- Default Connection State Tracking: Enables directional connection state tracking for TCP, UDP, and ICMP flows that do not match a filter policy or NAT rule.
- Source Route Validation: When you select this check box, packets are dropped when they are received on an interface that is different from the packet’s route, as determined by the source IP address.
- FTP ALG: When you select this check box, the FTP ALG (Application layer gateway) monitors connections on TCP port 21 and updates FTP messages with the appropriate NAT IP addresses.
- Max Connections per Source: Maximum number of non-established connections that each source IP address can allow. By default, each source IP address allows an unlimited number of non-established connections.
- Max New Connections per Source: Maximum number of connections that each source IP address can allow. By default, each source IP address allows unlimited number of connections.
- Use Global Connection Timeouts: When you select this check box, SD-WAN enables the global timeout settings. To configure specific timeout settings, clear this check box.
  - Denied Timeout (s): Time (in seconds) to wait for new packets before closing denied connections.
  - TCP Initial Timeout (s): Time (in seconds) to wait for new packets before closing an incomplete TCP session.
  - TCP Idle Timeout (s): Time (in seconds) to wait for new packets before closing an active TCP session.
  - TCP Closing Timeout: Time (in seconds) to wait for new packets before closing a TCP session after a terminate request.
  - TCP Time Wait Timeouts (s): Time (in seconds) to wait for new packets before closing a terminated TCP session.
  - TCP Closed Timeout (s): Time (in seconds) to wait for new packets before closing an aborted TCP session.
Click Save.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Secure Deployment Guide

Firewall settings

July 29, 2021

Contributed by:

July 29, 2021

Contributed by:

Firewall settings

In this article