Firewall and Network Address Translation Feature Overview

Firewall And Network Address Translation Feature Overview-Free PDF

  • Date:09 Jan 2021
  • Views:2
  • Downloads:0
  • Pages:57
  • Size:1.59 MB

Share Pdf : Firewall And Network Address Translation Feature Overview

Download and Preview : Firewall And Network Address Translation Feature Overview

Report CopyRight/DMCA Form For : Firewall And Network Address Translation Feature Overview


Firewall and Network Address Translation,Introduction 1. Products and software version that apply to this guide 3. Related documents 4,Advanced feature licences 4,The firewall 5. Firewall GUI 7,Accessing the firewall GUI 7,HTTP and HTTPS GUI listen ports 8. Applications 9,Application Layer Gateways ALG 9,Entities 10. Default flow with firewall enabled 11,Firewall filtering and logging 12.
Default filtering behaviour 13,Connection tracking of permitted packets 13. Configuring TCP established session timeout 14, Configuring UDP TCP connection limiting per entity 14. Flood protection filtering 15,Default deny 16,Logging for user configured rules 16. Firewall log messages 16,Firewall connection logging 17. Network Address Translation NAT 19, Configuring firewall and NAT rules for entities 21.
NAT rules with DPI 24,Firewall with dynamic IP addressing 26. Configuring a firewall rule for external services 27. Configuring firewall rules with update manager 28, Configuring firewall rules with subscription licensing 30. Firewall with High Availability 31,Configuring NAT loopback with DMZ 31. Static ENAT rule 34,Dynamic ENAT rule 34,Configuring static NAT with proxy ARP 35. C613 22012 00 REV N Introduction Page 2,Firewall and Network Address Translation.
Source based NAT with secondary IP addresses 36, Configuring access to multiple internal servers via PPPoE WAN 38. Server access with external DNS 39,Server access with internal DNS 44. Diagnostics 46, Configuring Network Address and Port Translation NAPT 47. Configuring subnet based NAT 49,Allowing partial sessions through a firewall 53. Products and software version that apply to this guide. This Guide applies to the AR Series firewalls running AlliedWare Plus version 5 4 5 or later. AR4050S UTM Firewall,AR3050S UTM Firewall,AR2050V Secure VPN Router.
AR2010V Secure VPN Router, Most features described in this document are supported from AlliedWare Plus 5 4 5 or later. These changes apply in 5 4 8 0 x or later, New firewall rules are needed when DPI is enabled and the firewall is accessing external services. including Update Manager,This feature is supported in 5 4 7 2 4 or later. Configurable HTTP and HTTPS ports, These features are supported in 5 4 7 1 x or later. Firewall connection logging,Configurable TCP established session timeout.
These features are available in version 5 4 7 0 1 or later. Subnet based NAT,Source and destination NAT, Allowing partial sessions through a firewall no state enforcement. This feature is available in version 5 4 6 2 1 or later. Firewall with High Availability VRRP,C613 22012 00 REV N Introduction Page 3. Firewall and Network Address Translation,Related documents. The following documents provide information about related features on AlliedWare Plus products. Getting Started with the UTM Firewall GUI Feature Overview Guide. Getting Started with the VPN Firewall GUI Feature Overview Guide. Application Awareness Feature Overview and Configuration Guide. Advanced Network Protection Feature Overview Guide. The product s Datasheet,The product s Command Reference. These documents are available from the links above or on our website at alliedtelesis com. Advanced feature licences, Flexible subscription licensing options make it easy to choose the right combination of security.
features to best meet your business needs The Advanced Firewall license includes Application. Control Web Control and URL Filtering The Advanced Threat Protection ATP license includes IP. Reputation stream based Malware Protection and on the AR4050S only proxy based Antivirus. C613 22012 00 REV N Introduction Page 4,Firewall and Network Address Translation. The firewall, A firewall at its most basic level controls traffic flow between a trusted network such as a. corporate LAN and an untrusted or public network such as the Internet The most commonly. deployed firewalls nowadays are port based or packet filtering These traditional firewalls determine. the allowed traffic versus the disallowed traffic based on many characteristics of the packets. including their destination and source IP addresses and TCP UDP port numbers However. traditional network security solutions have failed to keep pace with changes to applications threats. and the network landscape, AR Series firewalls are designed for the challenges facing modern networks In contrast to. traditional firewalls that lack the intelligence to discern network traffic in a world where network. boundaries are disintegrating and Internet applications are exploding AR Series firewalls no longer. talk about packets IP addresses and ports Instead they focus on applications users and content It. classifies traffic by the application s identity in order to enable visibility and control of all types of. application, The AR Series firewalls view the physical network in terms of zones networks and hosts Firewall. rules can be applied to any level of this hierarchy as shown in Figure 1 on page 6 See Entities on. page 10 for entity definitions and usage, When the firewall is enabled its default policy is to drop all applications from anywhere to anywhere.
If no rule is explicitly configured all traffic moving through the firewall is blocked. As data enters the firewall it is first identified by the DPI application decoding engine The firewall. filters traffic by identifying applications The application centric traffic classification identifies. specific applications flowing across the network regardless of the port and protocol in use. The firewall identifies applications through a database of regularly updated application signatures. By default this engine contains a library of a few dozen common Internet based applications that it. is capable of identifying Deep Packet Inspection DPI is used by the firewall to match packets. against these signatures and provide Layer 7 filtering for firewall rules See Applications on page 9. for application definition and usage,C613 22012 00 REV N The firewall Page 5. Firewall and Network Address Translation,Figure 1 Firewall zones networks hosts. The firewall provides the following features, Stateful inspection maintains the status of active connections through the firewall to dynamically. allow inbound replies to outbound connections, Robust application identification and inspection enables granular control of the flow of sessions. through a firewall based on the specific applications that are being used. Rules allow specified traffic to be matched and the appropriate action applied. Network Address and Port Translation permits multiple hosts on a LAN to be mapped to a single. public IP address and hides details of the internal network. OpenVPN integration provides secure remote access to Intranet resources. Application Layer Gateway ALG inspects the application layer payload of a packet and. understands the application control messages and performs Network Address Translation. processing if necessary, Logs allow retrieval of all event details for later analysis.
Reports of network usage and statistics give network managers the information they need to. effectively manage their networks,C613 22012 00 REV N The firewall Page 6. Firewall and Network Address Translation,Firewall GUI. If you want to you can use the Firewall GUI to monitor and configure your firewall. The firewall GUI provides setup of the firewall enabling the configuration of entities zones networks. and hosts and then creating firewall NAT and traffic control rules for managing traffic between. these entities Features such as the Intrusion Prevention System IPS and URL Filtering help protect. the network and manage website access, The GUI also supports a DHCP server interface management VLAN management system tools a. CLI window and a dashboard for network monitoring The dashboard shows interface and firewall. traffic system and environmental information and the security monitoring widget lets you view and. manage rules and security features,Accessing the firewall GUI. If your AR Series firewall came with the GUI pre installed perform the following steps to browse to. 1 Connect to any of the LAN switch ports, 2 Open a web browser and browse to https 192 168 1 1 This is the pre configured IP address of.
VLAN1 The default username is manager and the default password is friend. If your AR Series firewall did not come with the GUI pre installed perform the following steps. through the command line interface, 3 Create one or more IP interfaces and assign them IP addresses including configuring WAN. connectivity For information about configuring PPP see the PPP Feature Overview and. Configuration Guide For information about configuring IP see the IP Feature Overview and. Configuration Guide, 4 If you plan to enable the firewall functionality first create firewall rules to allow both DNS and. HTTPS traffic from the Update Manager to pass through the firewall This is needed because. AR Series firewalls block all traffic by default The following figure shows a recommended. example configuration when WAN connectivity is through ppp0. zone public,network wan,ip subnet 0 0 0 0 0 interface ppp0. ip address dynamic interface ppp0, rule 10 permit dns from public wan ppp0 to public wan. rule 20 permit https from public wan ppp0 to public wan. C613 22012 00 REV N Firewall GUI Page 7,Firewall and Network Address Translation.
5 Use the following command to download and install the GUI. awplus update webgui now,6 Enable the HTTP service. awplus configure terminal,awplus config service http. 7 Log into the GUI, Start a browser and browse to the firewall s IP address using HTTPS You can access the GUI. via any reachable IP address on any interface, The GUI starts up and displays a login screen Log in with your username and password. HTTP and HTTPS GUI listen ports, By default the Firewall GUI uses the HTTP server listen port 80 The default HTTPS server listen port.
is 443 You can change the HTTPS port From AlliedWare Plus version 5 4 7 2 4 you can also. change the HTTP port and disable listening on either the HTTP or HTTPS port. This allows you to remap the GUI to use other ports and allow traffic using these HTTP 80 and. HTTPS 443 ports to be forwarded through the device to another server if required instead of being. terminated on the device You may wish to change the HTTP port if port 80 needs to be used by. another service at the same IP address in your network. To change or disable the HTTP listen port use the command. awplus config http port 1 65535 none, To restore the HTTP port to its default port 80 use the command. awplus config no http port 1 65535, To change or disable the HTTPS listen port use the command. awplus config http secure port 1 65535 none, Setting the port to none disables HTTP or HTTPS management. Note that changing or disabling the HTTPS trusted port is not supported when using Vista Manager. If you are using Vista Manager EX and need to change the HTTPS trusted port you must use. certificate based authorization in Vista Manager EX See the Vista Manager EX Installation and User. Guide for instructions, To restore the HTTPS port to its default port 443 use the command. awplus config no http secure port, To check the settings for the HTTP and HTTPS secure ports use the command.
awplus show http,C613 22012 00 REV N Firewall GUI Page 8. Firewall and Network Address Translation,Applications. An application is a high level abstraction for the classification of packets being transported by. network traffic Traffic matching for applications can be achieved using several techniques for. example matching packets to port numbers or searching for application signatures in flows of. packets The device recognizes the following kinds of applications. You can configure source port destination port protocol ICMP code and ICMP type for the. application An application is invalid if its protocol source or destination are not properly. configured for example if an application has no protocol configured or source and destination. ports are applied to protocols that are not TCP UDP or SCTP. By default there are a number of predefined applications with protocols source and destinations. There is an built in library of many more applications that can be identified in traffic if Deep Packet. Inspection DPI is enabled, The extensive up to date library of applications maintained by Procera is available by. subscription With DPI enabled the device recognises these applications. You can use the show application and show application detail commands to display the detail of. these applications, If applications have the same name precedence in all application aware features is. 1 user configured applications,2 applications identified by DPI.
3 built in predefined list, For information about applications and application awareness see the Application Awareness. Feature Overview and Configuration Guide,Application Layer Gateways ALG. To determine the protocol associated with a given packet the firewall typically looks at the IP. protocol number and or the source and destination TCP UDP port numbers This works well for. most protocols However there are some protocols which use different port IP protocol numbers at. different points during communication An example of this is FTP which uses the well known port 21. Configurable HTTP and HTTPS ports These features are supported in 5 4 7 1 x or later Firewall connection logging Configurable TCP established session timeout These features are available in version 5 4 7 0 1 or later Subnet based NAT Source and destination NAT Allowing partial sessions through a firewall no state enforcement

Related Books