To summarize, rules are processed in numerical order by the packet filter. Pass rules cause
packets to be allowed into the system and block rules are ones that explicitly block traffic from
entering the system. The last rule is block in all which means that if a pass rule has not yet
matched this particular packet, it will be dropped.
Using this command while trying to establish a connection that may not be working can be a good
method of finding out what is wrong. In this example, 0 packets were blocked by the filter in rule
4 because rules 2 and 3 allowed all packets needed. If there is a misconfiguration, seeing packets
being blocked can be a hint of what is wrong.
Enabling/Disabling IP Filter Rules
When you create a subnet, IP Filter (firewall) rules are automatically generated. An example is
shown above. An option is available to disable these rules that may be used for troubleshooting or
diagnostic purposes. Disabling the firewall turns off all system packet filtering . Any subnet
permit/deny rules are ignored and all traffic will be routed between subnets.
l
If you use the GUI, you will note that if you disable these rules and you navigate to
System >
Network > VLANs > {any subnet} >Permitted Subnets
the following message will be displayed in red
text at the top of the tab:
"Firewall rules are currently disabled. Any 'Permit' and 'Deny' selections made below
will be ignored until firewall rules are enabled."
l
If you use the CLI, you will note that when you enter
eqcli >
show firewall
,the state will
be
Disabled
.
The rules are enabled by default.
To disable in the CLI, enter the following:
eqcli >
firewall disable
eqcli: 12000287: Operation successful
To verify that the firewall (IPv4 Rules) have been disabled, enter the following:
eqcli >
show firewall
Variable
Value
state
Disabled
Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
All Rights Reserved.
135
Equalizer Administration Guide
Summary of Contents for Equalizer GX Series
Page 18: ......
Page 32: ...Overview 32 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...
Page 42: ......
Page 52: ......
Page 64: ......
Page 72: ......
Page 76: ......
Page 228: ......
Page 238: ......
Page 476: ......
Page 492: ......
Page 530: ......
Page 614: ......
Page 626: ......
Page 638: ......
Page 678: ......
Page 732: ...Using SNMP Traps 732 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...
Page 754: ......
Page 790: ......
Page 804: ......
Page 842: ......
Page 866: ......