Description:
This document describes the steps to configure the packet filter in a LANCO=
M R&S=C2=AEUnified Firewall.
This basic functionality is required to make use of the UTM functions (e.g.=
application=
filter, the URL/content filter, antivirus, etc.) of the Unified Firewall.
Requirements:
- LANCOM R&S=C2=
=AE Unified Firewall with LCOS FX as of version 10
- A configured and functional Internet connection on the Unified Firewall=
- Web browser to configure the Unified Firewall
The following browsers are supported:
-
- Google Chrome
- Chromium
- Mozilla Firefox
1) Procedure:
In this example configuration, the services (e.g. HTTP, HTTPS, FTP, etc.) u=
sed from the local network to the Internet should be regulated by the Unifi=
ed Firewall.
For this purpose, the configuration of the Unified Firewall already feature=
s a desktop object of the type Network, which specifies th=
e physical firewall interface that is connected to the local network. Also,=
the IP address range of the local network is entered in CIDR notat=
ion.
1.1) In the LAN network object, click the =E2=80=
=9CConnection=E2=80=9D icon and then click the Internet object tha=
t was created for the existing WAN connection.
1.2) Assign the desired services and protocols to the LAN network o=
bject by means of the =E2=80=9C+=E2=80=9D icon.
If you are adding services only, you have already achieved the b=
asic functionality of the packet filter. In section 2 of t=
his document we discuss further options for configuring the indivi=
dual services.
1.3) Click on Save to accept these basic packet-fi=
lter functions.
1.4) Implement the configuration changes in the Unified Firewall by clickin=
g Activate.
2) Advanced settings for the service=
s:
2.1) You can configure the advanced settings of the rules for the s=
ervices in a (network) object by clicking the =E2=80=9CCon=
nection=E2=80=9D icon and then clicking the Internet objec=
t that was created for the existing WAN connection.
<=
img class=3D"confluence-embedded-image confluence-content-image-border" dra=
ggable=3D"false" height=3D"397" width=3D"439" src=3D"72f88f3c53932117c1edf1=
7d700ad231" data-image-src=3D"/download/attachments/36453302/11.29BE.jpg?ve=
rsion=3D1&modificationDate=3D1572009719536&api=3Dv2" data-unresolve=
d-comment-count=3D"0" data-linked-resource-id=3D"36453333" data-linked-reso=
urce-version=3D"1" data-linked-resource-type=3D"attachment" data-linked-res=
ource-default-alias=3D"11.29BE.jpg" data-base-url=3D"https://knowledgebase.=
lancom-systems.de" data-linked-resource-content-type=3D"image/jpg" data-lin=
ked-resource-container-id=3D"36453302" data-linked-resource-container-versi=
on=3D"8" alt=3D"">
2.2) On the =E2=80=9CRules=E2=80=9D tab you can make direct changes to the rules in the columns Action, Schedule, and Options=
by clicking on the link for the corresponding function.=20
- In the Action column, each click immediately a=
ctivates a different action (off, bi-directional, left to right, o=
r right to left).
The relevant communication direction is visible in the header area=
of this dialog (e.g. LAN =E2=80=93 WAN). In this example (see fig=
ure), communication takes place from the LAN (left) to the WAN (right). As =
the option NAT has been assigned, the WAN IP addre=
ss becomes the source.
- Clicking on a link in the Schedule column opens the dialog for configuring this function.=20
- Use the sliders to set specific times and days of the week.
- Clicking =E2=80=9CAlways on=E2=80=9D activates the rul=
e permanently.
- Clicking =E2=80=9CAlways off=E2=80=9D disables the rul=
e permanently.
- If you click on a link in the Options column, a dialog=
opens with the advanced settings. The Advanced tab contains the following options:
- Proxy:
For predefined firewall rules with predefined services, only if the predef=
ined services allow a proxy (HTTP, HTTPS, FTP, SMTP, SMTPS, POP3 or POP3S).=
Set a checkmark in this box to enable the proxy for this rule.
For firewall rules with customized services only: Select a pro=
xy for this rule from the drop-down list. To remove the proxy, click on the=
right-hand side of the selected proxy.
- NAT / Masquerading:
Specify the desired direction for NAT/masquerading (bi-directional, left-t=
o-right, or right-to-left), or disable the function for that rule (Off) by =
selecting the appropriate radio button. The default setting depends on the =
source and destination objects selected for the connection.
- New source IP:
Optional: If you ha=
ve multiple outgoing IP addresses, specify the IP address to use for the so=
urce NAT. If no IP address is specified, the system automatically selects t=
he main IP address of the outgoing interface.
- DMZ / Port Forwarding:
If a single host object is the destination of the firewall rule, you can s=
et a checkmark in this box to enable DMZ and port forwarding for this rule.=
- External IP address:
Optional: Enter the destination IP address of the data being proc=
essed. The DMZ rule is applied to this traffic only. This IP address has to=
be one of the IP addresses of the firewall.
- External port:
Displays the original destination po=
rt of the traffic being processed depending on the port specified on the =
=E2=80=9CPorts/Protocols=E2=80=9D tab.
- Destination IP address:
Displays the new destinatio=
n IP address for the traffic (after processing).
- Destination port:
Optional: Specify the destination port of the traffic (after proc=
essing).
|