Firewall rules need improvement

  • 2
  • Idea
  • Updated 3 years ago
The firewall rules are adequate, but they really could be a lot better.

1. You need permission groups. If you have several SSIDs that have the same firewall rules, you need to recreate the rules.
2. The groups should include named rules. Each rule should include all of the options of a Custom Application (host name, IP address, port number) and IP Firewall Policies objects (IP Address, IP Range, Host Name, Network, Wild Card).
3. Objects, rules, etc. need the ability to be renamed. Since it's not in a group, if something changes and you need to update a host, you end up using generic names (DNS1, DNS2), having the name and the actual object mismatched (www.example.com object with www.example.net destination), or having to manually touch every IP firewall rule.

I've worked around this a bit by defining rules as Custom Applications, even if they aren't really an application. For example, I created "Web Servers" and added all of the web servers an SSID can access. However, that doesn't always work. I wanted to create a rule that was to 10.X.1.8 with a wildcard of 0.255.0.0 to port 9999. There's no way to define this in a single rule, so I had to create a Port application rule and a wildcard firewall rule, but now any changes have to be done for every IP rule.

It would also be nice if these same rules could be applied to the switch. You can't use Application rules in a switch, so there aren't enough rules available to implement our filter requirements.

Thanks,
-Dan
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like

Posted 3 years ago

  • 2
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Thanks for the feedback, Dan! We will take your comments into consideration as we work on this area of the code.
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
Thanks.

If you decide to completely rework it, TCPDUMP-style filters would be nice, too.
net 10.0.1.8 mask 255.0.255.255 && tcp[2:2]>=5000