6
Firewall
111
4. Set
the
IP
object
sfp2_ip
,
which
will
be
the
IP
address
of
the
interface
connected
to
the
ISP:
Device:/>
set
IPAddress
sfp2_ip
Address=10.5.4.35
On
initial
startup,
the
SEG
automatically
creates
and
fills
the
SEG
address
book
with
the
all
interface
related
IP
address
objects.
5. Set
the
IP
object
sfp2_net
,
which
will
be
the
IP
network
of
the
connecting
interface:
Device:/>
set
IPAddress
sfp2_net
Address=10.5.4.0/24
6. Verify
the
properties
of
the
sfp2
interface
with
the
command:
Device:/>
show
Interface
EthernetInterface
sfp2
The
typical
output
is
similar
to
the
following:
Property
Value
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Name:
sfp2
EthernetAddress:
EthernetDevice:
sfp2
MTU:
1500
IPAddress:
10.5.4.35
IPv4broadcast:
<empty>
RTBMembership:
main
Comments:
<empty>
Defining IP rules
Even
though
an
all
‐
nets
‐
ip4
route
is
automatically
added,
no
traffic
can
flow
without
the
addition
of
an
IP
rule
that
explicitly
allows
the
flow.
For
example,
to
allow
web
surfing
from
the
protected
network
sfp1_net
on
the
interface
sfp2
,
define
a
rule
with
an
Action
of
Allow.
1. Change
the
current
CLI
context
to
the
default
IPRuleSet
called
main
using
the
command:
Device:/>
cc
IPRuleSet
main
Additional
IP
rule
sets
can
be
defined,
which
is
why
we
do
this,
with
the
rule
set
main
existing
by
default.
Notice
that
the
CLI
prompt
changes
to
reflect
the
current
context:
Device:/main>
2. Add
an
IP
rule
called
lan_to_wan
to
allow
the
traffic
through
to
the
public
Internet:
Device:/main>
add
IPRule
Name=lan_to_wan
Action=Allow
SourceInterface=sfp1
SourceNetwork=sfp1_net
DestinationInterface=sfp2
DestinationNetwork=all
‐
nets
‐
ip4
Service=http