Adding an Input Rule

Use the Administration > Firewall Settings tab to add input rules and define your firewall settings.

You can also use the CLI command system firewall to add or delete a firewall rule, or to turn the firewall on or off. For more information about the CLI command, see system Command.
Warning: Turning off Firewall Settings means any IP address can access the services on the appliance.

New input rules are added to the bottom of the rule list. Input rules are processed in descending order. Therefore, if you add a rule that might be superseded by one of the higher rules in the list, you must first delete the higher rule for your new rule to be effective.

For example, a default input rule accepts all IP addresses with UDP port 514. If you add a rule denying access to a particular IP address (for example 180.22.21.5) using UDP and port 514, that rule is superseded by the higher default rule that accepts all input using UDP and port 514. To make your added rule effective, you must:

  1. Add a new rule denying 180.22.21.5 using UDP on port 514.
  2. Delete the default rule that accepts all IP addresses using UDP on port 514.
  3. To still accept all other IP addresses using UDP and port 514, add another new rule accepting all IP addresses using UDP on port 514.

    Because this new “accept all” rule appears after the “deny 180.22.21.5” rule, both rules are executed. The appliance accepts input from all IP addresses using UDP on port 514 except 180.22.21.5.

Procedure

  1. Select Administration > Firewall Settings.
  2. Select Enable IP Firewall to activate the Input Rule box.
  3. In the Input Rule section, define the rules:
    1. Define an IP Address.
    2. To accept all IP addresses with the Protocol and Port you define, select All.
    3. Specify an IP address, or subnet mask, or both for the rule.
      The IP address indicates which hosts are allowed to communicate with the appliance. The format for this field is IP-address/subnet-mask. For example:
      • For a 24-bit subnet mask: 192.168.2.0/24
      • For a 16-bit subnet mask: 192.168.0.0/16
      • For an 8-bit subnet mask: 192.0.0.0/8
      • For a 72 bit IPv6 subnet: fd0f:c4al:e456:0000:5200::/72
  4. Select the Protocol (TCP or UDP) to associate with the port you specify.
  5. Select a Port from the list of ports active on the appliance.
    For a list of ports refer to Port Assignments. To add a custom port by using the CLI, run the system firewall command.
    Protocol Port number
    HTTP 80
    HTTP Collector 4433
    HTTPS Remote Control 4443
    HTTPS 443
    Loglogic Tunnel 11965 (this port is deprecated and may not be available)
    MCAGENT 2508
    MCAGENT 2098
    MCAGENT 2099
    NTP 123
    SSH 22
    SNMP 161
    SNMP-Trap 162
    SYSLOG 514
    Loglogic Receiver 5514
    NetFlow 2055
    NetFlow 9555
    NetFlow 9995
    ULDP 5515
    ULDP 5516
  6. Select an Action to indicate whether your appliance accepts or denies a packet that meets the rule requirement. The default is Deny.
  7. Click Add to add the rule to the Input Rule Table.
  8. Click Apply to activate the rules.
    The Input Rule Table, beneath the Input Rule section, lists the currently active rules.
    Input Rule Table
    Column Description
    IP Address IP address or subnet you typed for the Input Rule.
    Port Port you selected for the Input Rule.
    Protocol Protocol you selected for the Input Rule.
    Action Action to take if the packet meets your rule requirements.
    Deletes the access rule from the list.