Firewall rules

Firewall rules are used to detect network events based on packet information such as protocol, port, or IP address on a Nitro IPS.

The firewall policy scans incoming packets and makes decisions based on initial information found before the packet is passed to the deep packet inspection engine. Firewall rules will block things like spoofed and invalid IP addresses. They also track the rate and size of network traffic.

These are the types of firewall rules:

  • Anomaly — Detects anomalies. Many anomaly-based rules coincide with one another and are used with the values set in the Variables tab. For example, the rule Long Connection Duration and the variable Long Duration Seconds are used together to determine the number of seconds before the rule is triggered. To see more specific details on each rule, look at the detail section, located at the bottom of the page.
  • Anti-Spoof — Detects invalid IP addresses. For example, if a reserved internal IP address is seen entering the network through a device, the anti-spoof rule is triggered.
  • Blacklist — Determines the action to be taken on packets that are being sent to or from a blacklisted IP address or port.
  • DHCP — Turns on and off the capability to allow DHCP traffic through a device.
  • IPv6 — Detects IPv6 traffic.
  • Port-Block — Blocks certain ports.

Anomaly detection

Certain firewall rules are rate-based. A rate-based rule is a rule that only triggers an alert if your network traffic exceeds the thresholds defined by firewall-category variables in the Policy Editor. The default values for these variables might not make sense for your network's traffic, so the Rate-Based Anomaly Detection Wizard provides the ability to analyze graphs of your network flow data as it relates to these parameters (see Anomaly Detection wizard).

Firewall exceptions

Firewall exceptions are sometimes necessary to allow certain types of traffic to pass through the firewall that would otherwise be blocked. For example, if a valid internal address comes from the outside network, such as a VPN, it triggers an Incoming Bogons alert. To stop the alert, you must set up an exception to the firewall rule.

You can also select to treat an exception as an exception to the patterns defined in other exceptions, creating an exception to the exception list (in other words, include an address or block of addresses). If an address needs to be checked against a firewall rule and the IP address is in a block of addresses that has already been accepted, it can be excluded from the exception list by entering the IP address (or mask) and selecting the box.

As an example, the exception list already contains the block of addresses 10.0.0.0/24. All addresses in this range are an exception to the rule. If the source address 10.0.0.1 is active for this rule, select Treat this as an exception to the patterns defined in other exceptions and type 10.0.0.1 in the source field. The firewall rule then applies to 10.0.0.1, but not to any other address in the 10.0.0.0/24 block, because 10.0.0.1 is now the exception to the exception list.