User Guide
91
7
Firewall Policies
The Firebox® X Edge e-Series uses policies and other firewall options to control the traffic between the
trusted, optional, and external networks. Usually the external network is the Internet. When your pri-
vate network is connected to the Internet, you must be able to control that connection. The configura-
tion of allowed policies and firewall options sets the level of security the Edge applies to your network.
This chapter shows you how to configure common and custom packet filter policies. The subsequent
chapters show you in more detail how to use advanced policy features such as proxies, and other fire-
wall options such as the Blocked Sites feature.
You do not have to create a policy to allow traffic through a VPN tunnel to your Firebox X Edge e-Series.
The Edge automatically allows all traffic through VPN tunnels. No other configuration is necessary after
the VPN tunnel is set up. For more information on VPNs, see Chapter 16, “Configuring Virtual Private
Networks”. For information on Mobile User VPNs, see Chapter 17, “Configuring the MUVPN Client”.
Understanding Policies
When the Edge receives a packet, it looks for a policy in its configuration that matches the port and
protocol in the packet header. There are two categories of policies: packet filters and proxies.
A
packet filter
examines each packet’s IP header and is the most basic feature of a firewall. It controls
the network traffic in and out of your Edge. The packet filter examines the sender IP address and the
recipient IP address and either allows it or denies it, depending on the action you have configured for
that packet filter rule. If it does not find a rule that matches the packet, it denies it. The packet filter can
also record a log message or send an error message to the source.
A
proxy
monitors and scans connections. It examines the commands used in the connection to make
sure they are in the correct syntax and order. It looks at the content that is sent back and forth during
the connection. If the content does not match the criteria you set, it denies the packet. A proxy oper-
ates at the application layer, while a packet filter operates only at the network and transport protocol
layers. It uses deep packet inspection to make sure that connections are secure.
If the Edge cannot find a policy that matches the packet, it denies it by default.
Содержание Firebox X20E
Страница 20: ...The Firebox X Edge and Your Network 8 Firebox X Edge e Series...
Страница 32: ...Using the Quick Setup Wizard 20 Firebox X Edge e Series...
Страница 64: ...Viewing the Configuration File 52 Firebox X Edge e Series...
Страница 92: ...Configuring BIDS 80 Firebox X Edge e Series...
Страница 102: ...Configuring the Wireless Card on Your Computer 90 Firebox X Edge e Series...
Страница 114: ...Configuring Policies for the Optional Network 102 Firebox X Edge e Series...
Страница 138: ...Using Additional Services for Proxies 126 Firebox X Edge e Series...
Страница 158: ...Working with Firewall NAT 146 Firebox X Edge e Series...
Страница 166: ...Using Certificates on the Firebox X Edge 154 Firebox X Edge e Series...
Страница 208: ...Updating Gateway AV IPS 196 Firebox X Edge e Series...
Страница 220: ...Frequently Asked Questions 208 Firebox X Edge e Series...
Страница 302: ...Limited Hardware Warranty 290 Firebox X Edge e Series...
Страница 310: ...298 Firebox X Edge e Series...