Firewall FAQ

Table of Contents
Click an item to jump directly to that question.

Should I use pre-NAT or post-NAT addresses/ports in Firewall rules?
How do I lock down my network but for a few exceptions via Firewall application?
Why aren't my Firewall rules being triggered?
Why is the default action in Firewall to pass all?

1. Should I use pre-NAT or post-NAT addresses/ports in Firewall rules?

Firewall rules always match on the address which has more information. In other words, if the entire internal network is being NAT'd from 192.168.*.* to 1.2.3.4, Firewall will match on the 192.168.*.* for traffic to and from this network. At the session layer this works out to be pre-NAT on source address, post-NAT on destination address, pre-NAT on source port, and post-NAT on destination port. An easy way to remember this is that it always matches where it gets the most information.

2. How do I lock down my network but for a few exceptions via the Firewall application?

Simply add a rule with no conditions, set it to Block, and put it at the bottom of the list. This will match all traffic, so anything not explicitly passed in a rule above it will be blocked.

3. Why aren't my Firewall rules being triggered?

Firewall rules work from top to bottom; the first rule that the traffic matches will fire. If you have a broad rule near the top of your list that is matching, no other rules will be evaluated.

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.