Citrix SD-WAN Orchestrator

Firewall settings

You can configure firewall settings at a site level. These settings provide security to all the SD-WAN appliances on a specific site.

The following are the instructions to configure the Site-specific override firewall settings:

  1. At the site level, navigate to Configuration > Advanced settings > Firewall settings.

  2. Select the Site Specific Override option from the Override Firewall Settings drop-down menu. This action applies the defined firewall rules on a specific site.

    Note

    If you want to switch from site-specific setting to a global default setting, select the Global Defaults option from the drop-down list. This action removes the site-specific configuration and retains the global specific defaults.

    Site specific override

    • Action When No Firewall Rules Match: Select an action (Allow or Drop) from the drop-down list for the packets that do not match a Firewall policy.

    • Default Connection State Tracking: Enables directional connection state tracking for TCP, UDP, and ICMP flows that do not match a filter policy or NAT rule.

    • Source Route Validation: When you select this check box, packets are dropped when they are received on an interface that is different from the packet’s route, as determined by the source IP address.

    • FTP ALG: When you select this check box, the FTP ALG (Application layer gateway) monitors connections on TCP port 21 and updates FTP messages with the appropriate NAT IP addresses.

    • Max Connections per Source: Maximum number of non-established connections that each source IP address can allow. By default, each source IP address allows an unlimited number of non-established connections.

    • Max New Connections per Source: Maximum number of connections that each source IP address can allow. By default, each source IP address allows unlimited number of connections.

    • Use Global Connection Timeouts: When you select this check box, SD-WAN enables the global timeout settings. To configure specific timeout settings, clear this check box.

      • Denied Timeout (s): Time (in seconds) to wait for new packets before closing denied connections.
      • TCP Initial Timeout (s): Time (in seconds) to wait for new packets before closing an incomplete TCP session.
      • TCP Idle Timeout (s): Time (in seconds) to wait for new packets before closing an active TCP session.
      • TCP Closing Timeout: Time (in seconds) to wait for new packets before closing a TCP session after a terminate request.
      • TCP Time Wait Timeouts (s): Time (in seconds) to wait for new packets before closing a terminated TCP session.
      • TCP Closed Timeout (s): Time (in seconds) to wait for new packets before closing an aborted TCP session.
  3. Click Save.

Firewall settings

In this article