Managing the firewall

Kaspersky SD-WAN supports a firewall for filtering traffic packets on a CPE device. The firewall can accept, drop, or reject traffic packets. If a traffic packet is rejected, its sender receives an icmp-reject message. The firewall can apply each action to inbound and outbound traffic packets, as well as to traffic packets relayed between network interfaces and subnets of CPE devices. When specifying the basic firewall settings, you must set the default actions that the firewall performs with traffic packets.

To avoid configuring each CPE device individually, you can specify the firewall settings in the firewall template and then apply the template to CPE devices when adding or manually registering them. If you edit a setting in a firewall template, that setting is automatically modified on all CPE devices that are using the firewall template. When you edit a setting on a CPE device, that setting becomes independent of the firewall template. When the same setting is edited in the firewall template, the change is not propagated to the CPE device.

Firewall zones

You can add network interfaces and subnets to a firewall zone (hereinafter also referred to as 'zone') to receive, drop, or reject traffic packets transmitted through these network interfaces and subnets. When you create or edit a firewall zone, you need to specify the actions to be performed with traffic packets and, if necessary, add subnets. You can add network interfaces to a firewall zone when creating or editing a network interface.

If you want to allow transmitting traffic packets from one firewall zone to another, you can create a forwarding. When creating a forwarding, you must specify the inbound and outbound firewall zones.

You can create common firewall zones that multiple CPE devices can use, as well as firewall zones on an individual CPE device.

You cannot edit a common firewall zone because it can be used by a large number of CPE templates and CPE devices, and editing such a firewall zone would result in a mass update of all CPE templates and CPE devices that are using it, which would overload the orchestrator. If you want to edit the common firewall zone, you must create a new common firewall zone. To the created common firewall zone, you can add network interfaces and subnets that were added to the previous common firewall zone.

Firewall rules

You can create firewall rules to accept, drop, or reject traffic packets based on specified criteria. For example, you can create a firewall rule that rejects traffic packets with a specified source firewall zone.

If you want to specify the same IP addresses or subnets in multiple firewall rules, you need to create an IP set . When you create an IP set, you must specify whether the IP addresses and subnets belong to the source or the destination. You can specify the created IP set in firewall rule settings.

When a traffic packet is forwarded to a CPE device, the action specified in the settings of one of the firewall rules is performed on the traffic packet. If none of the firewall rules can be applied, the action specified in the settings of the firewall zone to which this packet was forwarded is applied to the traffic packet. If the traffic packet was not forwarded to any of the firewall zones, the default action that you specified while specifying basic firewall settings is applied to the traffic packet.

Network address translation

The firewall supports the following network address translation (NAT) mechanisms:

• DNAT rules can replace the following elements of traffic packets with the specified values:
  • Destination IP addresses or prefixes
  • Destination firewall zones
  • Destination ports (Port Address Translation, PAT)
• SNAT rules can replace source IP addresses or prefixes of traffic packets with the specified values.

DNAT rules and SNAT rules are applied to traffic packets based on the specified criteria. For example, you can create a DNAT rule that replaces the destination IP address of TCP traffic packets.

Managing firewall zones

You can view the table of common firewall zones or the table of firewall zones on the CPE device:

• To display the table of common firewall zones, go to the SD-WAN → Firewall zones menu section.
• To display the table of firewall zones on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Firewall settings → Zones tab.

The following firewall zones are created by default:

• wan (WAN firewall zone) is the firewall zone for network interfaces that are connected to the WAN, for example, to the internet or the service provider network. Masquerading is enabled in the settings of the firewall WAN zone to replace the source IP address of outbound traffic packets from the firewall zone with the IP address assigned to the egress network interface.
• lan (LAN firewall zone) is the firewall zone for network interfaces that are connected to the LAN.
• mgmt (management firewall zone) is the firewall zone for the network interface that is used for passive monitoring of the CPE device by the Zabbix monitoring system, as well as for the SSH connection of the orchestrator to the CPE device.

You cannot delete the default firewall zones or create firewall zones with the same names.

When you upgrade Kaspersky SD-WAN from version 2.1 to 2.2, the following changes are made in the settings of all CPE templates:

• sdwan<0–4> network interfaces are automatically added to the WAN zone of the firewall.
• lan, br-lan, and overlay network interfaces are automatically added to the LAN zone of the firewall.

Information about common firewall zones is displayed in the following columns of the table:

• Name is the name of the firewall zone.
• Usage indicates whether the firewall zone is being used by firewall templates, CPE templates, and/or CPE devices:
  • Yes
  • No
• Author is the name of the user that created the firewall zone.
• Created is the date and time when the firewall zone was created.

The actions that you can perform with the table are described in the Managing solution component tables instructions.

Information about firewall zones on the CPE device is displayed in the following columns of the table:

• Name is the name of the firewall zone.
• Settings contains the actions that the firewall applies to traffic packets.
• Interfaces/Networks are network interfaces and subnets that have been added to the firewall zone.

Creating a firewall zone

You can create a common firewall zone or a firewall zone on the CPE device.

To create a firewall zone:

1. Create a firewall zone in one of the following ways:
   • If you want to create a common firewall zone, go to the SD-WAN → Firewall zones section and in the upper part of the page, click + Firewall zone.
   • If you want to create a firewall zone on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Zones tab, select the Override check box, and click + Firewall zone.

   A table of firewall zones is displayed.

2. This opens a window; in that window, in the Name field, enter the name of the firewall zone. Maximum length: 255 characters.
3. In the Input drop-down list, select the action that the firewall applies to inbound traffic packets:
4. In the Output drop-down list, select the action that the firewall applies to outbound traffic packets:
5. In the Forwarding drop-down list, select the action that the firewall applies to traffic packets forwarded between network interfaces and subnets:
6. If you want to enable masquerading to replace the source IP address of outbound traffic packets from the firewall zone with the IP address assigned to the egress network interface:
7. Clear the MSS clamp to PMTU check box if you do not want the firewall to limit the Maximum Segment Size (MSS) of traffic packets relayed through the firewall zone to the Path Maximum Transmission Unit (PMTU) value minus 40. The purpose of subtracting 40 is to exclude the size of the TCP header. This check box is selected by default.
8. If you want the firewall to keep a log of traffic packets dropped in the firewall zone, select the Drops logging check box. If logs created on a CPE device are sent to a Syslog server, you can view the logs on that server. If logs created on the CPE device are stored locally, you can view the logs by requesting diagnostic information. This check box is cleared by default.
9. If network interfaces are connected to L3 switches or routers, and you want to relay traffic packets from subnets of these L3 switches or routers, add a subnet to the firewall zone. To do so, under Networks, click + Add and enter an IPv4 subnet prefix.

   The subnet is added and displayed under Networks. You can add multiple subnets or delete a subnet. To delete a subnet, click the delete icon next to it.

10. Click Create.

    The firewall zone is created and displayed in the table.

11. If you have created a firewall zone on a CPE device, click Save in the upper part of the settings area to save the CPE device settings.

You must add network interfaces to the created firewall zone. You can do this when creating or editing a network interface. If you created a firewall zone on a CPE device, the network interfaces that you add to the firewall zone must be created on the same CPE device.

Editing the name of the firewall common zone

You can edit the name of the created common firewall zone. The process of editing the name of a firewall zone on a CPE device is described in the instructions on editing a firewall zone on the CPE device.

To edit the name of a common firewall zone:

1. In the menu, go to the SD-WAN → Firewall zones section.

   A table of firewall zones is displayed.

2. Click the common firewall zone whose name you want to edit.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Rename of Firewall zone.
4. This opens a window; in that window, change the name of the common firewall zone.
5. Click Rename.

The name of the common firewall zone is modified and updated in the table.

Cloning a firewall common zone

You can clone the created common firewall zone to create an identical common firewall zone with a different name. Cloning firewall zones on a CPE device is not supported.

To clone a common firewall zone:

1. In the menu, go to the SD-WAN → Firewall zones section.

   A table of firewall zones is displayed.

2. Click the common firewall zone which you want to clone.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Clone.
4. This opens a window; in that window, enter a name for the new common firewall zone.
5. Click Clone.

A copy of the common firewall zone with the new name is created and displayed in the table.

Viewing the usage of a firewall common zone

You can see which firewall templates, CPE templates, and CPE devices are using the created common zone. If the common firewall zone is in use, it cannot be deleted.

To view the usage of a common firewall zone:

1. In the menu, go to the SD-WAN → Firewall zones section.

   A table of firewall zones is displayed.

2. Click the common firewall zone whose usage you want to view.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Show usage.

This opens a window with a table of firewall templates, CPE templates, and CPE devices that are using the common firewall zone.

Editing a firewall zone on a CPE device

You can edit a firewall zone on a CPE device. You cannot edit a common firewall zone because it can be used by a large number of CPE templates and CPE devices, and editing such a firewall zone would result in a mass update of all CPE templates and CPE devices that are using it, which would overload the orchestrator. If you want to edit the common firewall zone, you must create a new common firewall zone. To the created common firewall zone, you can add network interfaces and subnets that were added to the previous common firewall zone.

To edit a firewall zone on a CPE device:

1. In the menu, go to the SD-WAN → CPE section.

   A table of CPE devices is displayed.

2. Click the CPE device on which you want to edit the firewall zone.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Configuration tab is selected, which displays general information about the CPE device. This tab also displays the table of Out-of-band management tasks being performed by the orchestrator.

3. Select the Firewall settings → Zones tab.

   A table of firewall zones is displayed.

4. Select the Override check box.
5. Click Edit next to the firewall zone that you want to edit.
6. This opens a window; in that window, if necessary, edit the firewall zone settings. For a description of the settings, see the instructions for creating a firewall zone.
7. Click Save.

   The firewall zone is modified and updated in the table.

8. In the upper part of the settings area, click Save to save CPE device settings.

Deleting a firewall zone

You can delete a common firewall zone or a firewall zone on the CPE device.

Deleted firewall zones cannot be restored.

Deleting a firewall common zone

You cannot delete a common firewall zone if it is being used by at least one firewall template, CPE template, or CPE device. You must view the usage of the common firewall zone and make sure that it is not being used.

To delete a common firewall zone:

1. In the menu, go to the SD-WAN → Firewall zones section.

   A table of firewall zones is displayed.

2. Click the common firewall zone which you want to delete.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Delete.
4. In the confirmation window, click Delete.

The common firewall zone is deleted and is no longer displayed in the table.

Deleting a firewall zone on a CPE device

To delete a firewall zone on a CPE device:

1. In the menu, go to the SD-WAN → CPE section.

   A table of CPE devices is displayed.

2. Click the CPE device on which you want to delete the firewall zone.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Configuration tab is selected, which displays general information about the CPE device. This tab also displays the table of Out-of-band management tasks being performed by the orchestrator.

3. Select the Firewall settings → Zones tab.

   A table of firewall zones is displayed.

4. Select the Override check box.
5. Click Delete next to the firewall zone that you want to delete.
6. In the confirmation window, click Delete.

   The firewall zone is deleted and is no longer displayed in the table.

7. In the upper part of the settings area, click Save to save CPE device settings.

Managing forwarding

The table of forwardings is displayed in the firewall template and on the CPE device:

• To display the table of forwardings in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Zones forwarding tab.
• To display the table of forwardings on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Firewall settings → Zones forwarding tab.

Information about forwardings is displayed in the following columns of the table:

• From is the outbound firewall zone.
• To is the Inbound firewall zone.

Creating a forwarding

You can create a forwarding in a firewall template or on a CPE device. A forwarding created in a firewall template is automatically created on all CPE devices that use this firewall template.

To create a forwarding:

1. Create a forwarding in one of the following ways:
   • If you want to create a forwarding in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Zones forwarding tab.
   • If you want to create a forwarding on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Zones forwarding tab, and select the Override check box.

   A table of forwardings is displayed.

2. Click + Forwarding.
3. This opens a window; in that window, in the From drop-down list, select a created outbound firewall zone.
4. In the To drop-down list, select a created inbound firewall zone.
5. Click Create.

   The forwarding is created and displayed in the table.

6. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Deleting a forwarding

You can delete a forwarding in a firewall template or on a CPE device. A forwarding deleted in a firewall template is automatically deleted on all CPE devices that use this firewall template.

Deleted forwardings cannot be restored.

To delete a forwarding:

1. Delete a forwarding in one of the following ways:
   • If you want to delete a forwarding in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Zones forwarding tab.
   • If you want to delete a forwarding on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Zones forwarding tab, and select the Override check box.

   A table of forwardings is displayed.

2. Click Delete next to the forwarding that you want to delete.
3. In the confirmation window, click Delete.

   The forwarding is deleted and is no longer displayed in the table.

4. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Managing firewall templates

The table of firewall templates is displayed under SD-WAN → Firewall templates. One of the firewall templates is the default template, which means it is pre-selected when adding and manually registering a CPE device. By default, the Default firewall template is created, which forms the basis for other firewall templates you create. Information about firewall templates is displayed in the following columns of the table:

• Name is the name of the firewall template.
• Usage indicates whether the firewall template is being used by CPE devices:
  • Yes
  • No
• Owner is the name of the user that created the firewall template.
• Last update is the date and time when the firewall template settings were last modified.

The actions that you can perform with the table are described in the Managing solution component tables instructions.

Firewall template settings are displayed on the following tabs:

• Global settings contains basic settings of the firewall.
• Rules contains firewall rules.
• NAT contains network address translation settings. The following tabs are displayed on this tab:
  • DNAT contains DNAT rules.
  • SNAT contains SNAT rules.
• Zones forwarding contains forwardings between firewall zones.
• IP sets contains IP sets.

Creating a firewall template

To create a firewall template:

1. Go to the SD-WAN → Firewall templates section.

   A table of firewall templates is displayed.

2. In the upper part of the page, click + Firewall template.
3. This opens a window; in that window, enter the name of the firewall template.
4. Click Create.

The firewall template is created and displayed in the table.

You need to configure the created firewall template. For a description of the firewall template tabs, see the Managing firewall templates section.

Setting the default firewall template

You can set a firewall template as the default to have it preselected when adding or manually registering a CPE device.

To set a default firewall template:

1. Go to the SD-WAN → Firewall templates section.

   A table of firewall templates is displayed.

2. Click the firewall template that you want to make the default firewall template.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Global settings tab is selected, which displays the main settings of the firewall template.

3. In the upper part of the settings area, under Actions, click Set as default template.

The firewall template is set as the default firewall template.

Exporting a firewall template

You can export a firewall template to subsequently import it into another firewall template.

To export a firewall template:

1. Go to the SD-WAN → Firewall templates section.

   A table of firewall templates is displayed.

2. Click the firewall template that you want to export.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Global settings tab is selected, which displays the main settings of the firewall template.

3. In the upper part of the settings area, under Actions, click Export.

An archive in the TAR.GZ format is saved on your local device. The archive does not contain information about CPE devices using the firewall template.

Importing a firewall template

You can export a firewall template and subsequently import it into another firewall template. Firewall template settings are specified in accordance with the settings of the imported firewall template. During import, you can select the tabs that you want to leave unchanged. A firewall template into which another firewall template is imported remains applied to CPE devices, but the settings of those CPE devices are not modified.

To import a firewall template:

1. Go to the SD-WAN → Firewall templates section.

   A table of firewall templates is displayed.

2. Click the firewall template that you want to export.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Global settings tab is selected, which displays the main settings of the firewall template.

3. In the upper part of the settings area, under Actions, click Export.

   An archive in the TAR.GZ format is saved on your local device. The archive does not contain information about CPE devices using the firewall template.

4. Click the firewall template into which you want to import another firewall template.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Global settings tab is selected, which displays the main settings of the firewall template.

5. In the upper part of the settings area, under Actions, click Import.
6. This opens a window; in that window, clear the check boxes next to the firewall template tabs that you want to leave unchanged after import.
7. In the File field, specify the path to the TAR.GZ archive.
8. Click Import.

Firewall template settings are modified in accordance with the settings of the imported firewall template.

Cloning a firewall template

You can clone a firewall template to create an identical firewall template with a different name.

To clone a firewall template:

1. Go to the SD-WAN → Firewall templates section.

   A table of firewall templates is displayed.

2. Click the firewall template that you want to clone.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Global settings tab is selected, which displays the main settings of the firewall template.

3. In the upper part of the settings area, under Actions, click Clone.
4. This opens a window; in that window, enter the name of the new firewall template.
5. Click Clone.

A copy of the firewall template with the new name is created and displayed in the table.

Viewing the usage of a firewall template

You can see which CPE devices are using the firewall template. If a firewall template is in use, it cannot be deleted.

To view the usage of a firewall template:

1. Go to the SD-WAN → Firewall templates section.

   A table of firewall templates is displayed.

2. Click the firewall template for which you want to view usage information.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Global settings tab is selected, which displays the main settings of the firewall template.

3. In the upper part of the settings area, under Actions, click Show associated CPEs.

This opens a window with a table of CPE devices that are using the firewall template.

Deleting a firewall template

You cannot delete a firewall template while it is in use. You need to look up the usage of the firewall template and make sure that it is not in use.

Deleted firewall templates cannot be restored.

To delete a firewall template:

1. Go to the SD-WAN → Firewall templates section.

   A table of firewall templates is displayed.

2. Click the firewall template that you want to delete.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Global settings tab is selected, which displays the main settings of the firewall template.

3. In the upper part of the settings area, under Actions, click Delete.
4. In the confirmation window, click Delete.

The firewall template is deleted and is no longer displayed in the table.

Basic firewall settings

You can configure basic firewall settings in a firewall template or on a CPE device. Basic firewall settings specified in the firewall template are automatically propagated to all CPE devices that use this firewall template.

The firewall applies the actions specified in its basic settings to traffic packets. Traffic packets are affected by this if no firewall rules have been applied to them and they have not been forwarded to any of the firewall zones.

To specify the basic firewall settings:

1. Specify basic firewall settings in one of the following ways:
   • If you want to edit basic firewall settings in a firewall template, go to the SD-WAN → Firewall templates menu section and click the firewall template.
   • If you want to edit basic firewall settings on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Global settings tab, and select the Override check box.

   Basic firewall settings are displayed.

2. If you want to disable SYN flood protection, clear the Syn-flood protection check box. This check box is selected by default. When SYN flood protection is enabled, a maximum of 25 traffic packets per second with the SYN, ACK, RST, and FIN flags can be sent to a CPE device.
3. If you want the firewall to drop traffic packets marked as invalid by the conntrack function, select the Drop invalid packets check box. This check box is cleared by default.
4. If you want to disable the DPI (Deep Packet Inspection) technology, clear the Enable DPI check box. This check box is selected by default. The DPI technology lets you create firewall rules that apply only to traffic packets of the specified application.

   When the DPI technology is disabled, you cannot configure DPI marking, and firewall rules that use the DPI technology are automatically disabled.

5. In the Default INPUT action drop-down list, select the action that the firewall applies to inbound traffic packets:
6. In the Default OUTPUT action drop-down list, select the action that the firewall applies to outbound traffic packets:
7. In the Default FORWARD action drop-down list, select the action that the firewall applies to traffic packets forwarded between network interfaces and subnets:
8. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Configuring DPI marking

Kaspersky SD-WAN supports creating firewall rules that are applied only to traffic packets of the specified application. You can specify the DPI marks that determine the traffic packets the rule is applied to. You cannot configure DPI marking if you disabled the DPI marking technology in basic firewall settings.

You can configure DPI marking in a firewall template or on a CPE device. DPI marking settings specified in the firewall template are automatically propagated to all CPE devices that use this firewall template.

To configure DPI marking:

1. Configure DPI marking for the firewall is applied in one of the following ways:
   • If you want to configure DPI marking in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the DPI marking tab.
   • If you want to configure DPI marking on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → DPI marking tab, and select the Override check box.

   The DPI marking settings are displayed.

2. Select the check boxes next to the DPI marks which you want to govern which firewall rules apply to which traffic packets.
3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Managing firewall rules

The table of firewall rules is displayed in the firewall template and on the CPE device:

• To display the table of firewall rules in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
• To display the table of firewall rules on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Firewall settings → Rules tab.

The following firewall rules are created by default:

• Allow-GENEVE allows the CPE device to receive GENEVE packets from the WAN firewall zone. GENEVE packets are encapsulated Kaspersky SD-WAN traffic.
• Allow-DHCP-Renew allows the CPE device to receive BOOTP packets from the WAN firewall zone, which is necessary for DHCP to work.
• Allow-IGMP allows the CPE device to receive IGMP packets from the WAN firewall zone, which is necessary for VRRP and multicast to work.
• The following firewall rules are temporarily disabled until full support for IPv6 becomes available in Kaspersky SD-WAN:
  • Allow-DHCPv6 allows the CPE device to receive DHCPv6 packets from the WAN firewall zone, which is necessary for IPv6 to work.
  • Allow-MLD allows the CPE device to receive MLD packets from the WAN firewall zone, which is necessary for IPv6 to work.
  • Allow-ICMPv6-Input allows the CPE device to receive ICMPv6 packets from the WAN firewall zone, which is necessary for IPv6 to work.
  • Allow-ICMPv6-Forward-From-Wan allows the CPE device to receive ICMPv6 packets from the WAN firewall zone, which packets are forwarded to the LAN firewall zone, which is necessary for IPv6 to work.
  • Allow-ICMPv6-Forward-From-Lan allows the CPE device to receive ICMPv6 packets from the LAN firewall zone, which packets are forwarded to the WAN firewall zone, which is necessary for IPv6 to work.
• Explicit-deny-http(s)-on-wan blocks the CPE device from receiving TCP traffic packets with destination ports 80 or 443 to prevent access from the WAN firewall zone to the CPE device web server.

For the default firewall rules to work correctly, you need to add sd-wan<0–4> network interfaces to the WAN firewall zone. You can add network interfaces to a firewall zone when creating or editing a network interface.

Information about firewall rules is displayed in the following columns of the table:

• Name is the name of the firewall rule.
• Details contains criteria according to which the firewall applies the rule to traffic packets.
• Action is the action that the firewall rule applies to traffic packets.

Creating a firewall rule

You can create a firewall rule in a firewall template or on a CPE device. A firewall rule created in a firewall template is automatically created on all CPE devices that use this firewall template.

To create a firewall rule:

1. Create a firewall rule in one of the following ways:
   • If you want to create a firewall rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
   • If you want to create a firewall rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Rules tab, and select the Override check box.

   A table of firewall rules is displayed.

2. Click + Rule.
3. This opens a window; in that window, in the Name field, enter the name of the firewall rule. Maximum length: 255 characters.
4. In the Action drop-down list, select the action that the firewall rule applies to traffic packets:
5. Specify the criteria according to which the firewall must apply the firewall rule to traffic packets:
   1. If you want to apply the firewall rule only to traffic packets with the specified source or destination IP addresses or subnets, in the IP set drop-down list, select a created IP set. If you select a value from this drop-down list, the Source IP and Destination IP blocks become unavailable.
   2. If you want to apply the firewall rule only to traffic packets with the specified version of source or destination IP addresses or subnets, in the IP version drop-down list, select one of the following options:
      • IPv4
      • IPv6

      If you do not select a value, the firewall rule is applied to traffic packets with any version of source or destination IP addresses or subnets.

   3. If you want to apply the firewall rule only to traffic packets with the specified source firewall zone, in the Source zone drop-down list, select the created firewall zone.
   4. If you want to apply the firewall rule only to traffic packets with the specified destination firewall zone, in the Destination zone drop-down list, select a created firewall zone.
   5. If you want to apply the firewall rule only to traffic packets with the specified source IPv4 address or prefix, under Source IP, click + Add and enter an IPv4 address or prefix.

      The IPv4 address or prefix is specified and displayed under Source IP. You can specify multiple IPv4 addresses or prefixes or delete an IPv4 address or prefix. To delete an IPv4 address or prefix, click the delete icon next to it.

   6. If you want to apply the firewall rule only to traffic packets with the specified destination IPv4 address prefix, under Destination IP, click + Add and enter an IPv4 address or prefix.

      The IPv4 address or prefix is specified and displayed under Destination IP. You can specify multiple IPv4 addresses or prefixes or delete an IPv4 address or prefix. To delete an IPv4 address or prefix, click the delete icon next to it.

   7. If you want to apply the firewall rule only to traffic packets of the specified protocol, select a protocol in the Protocol drop-down list. When you select an option in this drop-down list, the DPI protocol drop-down list becomes unavailable.

      With TCP or UDP selected, if you want to apply the firewall rule only to traffic packets with the specified source and/or destination ports:

      1. In the Source port field, enter a source port number or a range of source port numbers.
      2. In the Destination port field, enter a destination port number or a range of destination port numbers.

      Range of values: 0 to 65,535. The format of the port number range is <first value>-<last value>. For example, you can enter 10 or 10-15.

   8. If you want to apply the firewall rule only to traffic packets of the specified application, select an application in the DPI protocol drop-down list.

      Traffic is attributed to applications using the DPI technology, which places additional load on the CPU of the CPE device.

      You can specify the DPI marks that determine the traffic packets the rule is applied to. If you disabled the DPI technology when specifying the basic settings of the firewall, the firewall rule is automatically disabled.

6. Click Create.

   The firewall rule is created and displayed in the table.

7. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

By default, the firewall rule is disabled. You must enable the firewall rule to have it applied to traffic packets.

Configuring the order of firewall rules

Firewall rules are applied to traffic packets in descending order, starting with the first firewall rule at the top of the table. By default, firewall rules are displayed in the table in the order of creation. The earlier a firewall rule was created, the higher it is displayed in the table.

You can configure the order in which firewall rules are applied in a firewall template or on a CPE device. The order in which firewall rules are applied, which is specified in the firewall template, is automatically propagated to all CPE devices that use this firewall template.

To configure the order in which firewall rules are applied:

1. Edit the order in which firewall rules are applied in one of the following ways:
   • If you want to configure the order in which firewall rules are applied in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
   • If you want to configure the order in which firewall rules are applied on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Rules tab, and select the Override check box.

   A table of firewall rules is displayed.

2. Configure the order in which firewall rules are applied by clicking the Up and Down buttons next to them.
3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Enabling or disabling a firewall rule

By default, firewall rules are created in a disabled state. You must enable the firewall rule to have it applied to traffic packets.

You can enable or disable a firewall rule in a firewall template or on a CPE device. A firewall rule enabled or disabled in a firewall template is automatically enabled or disabled on all CPE devices that use this firewall template.

To enable or disable a firewall rule:

1. Enable or disable a firewall rule in one of the following ways:
   • If you want to enable or disable a firewall rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
   • If you want to enable or disable a firewall rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Rules tab, and select the Override check box.

   A table of firewall rules is displayed.

2. Click Enable or Disable next to the firewall rule that you want to enable or disable.

   The firewall rule is enabled or disabled.

3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Editing a firewall rule

You can edit a firewall rule in a firewall template or on a CPE device. A firewall rule modified in a firewall template is automatically modified on all CPE devices that use this firewall template.

To edit a firewall rule:

1. Edit a firewall rule in one of the following ways:
   • If you want to edit a firewall rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
   • If you want to edit a firewall rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Rules tab, and select the Override check box.

   A table of firewall rules is displayed.

2. Click Edit next to the firewall rule that you want to edit.
3. This opens a window; in that window, if necessary, edit the firewall rule settings. For a description of the settings, see the instructions for creating a firewall rule.
4. Click Save.

   The firewall rule is modified and updated in the table.

5. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Deleting a firewall rule

You can delete a firewall rule in a firewall template or on a CPE device. A firewall rule deleted in a firewall template is automatically deleted on all CPE devices that use this firewall template.

Deleted firewall rules cannot be restored.

To delete a firewall rule:

1. Delete a firewall rule in one of the following ways:
   • If you want to delete a firewall rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the Rules tab.
   • If you want to delete a firewall rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Rules tab, and select the Override check box.

   A table of firewall rules is displayed.

2. Click Delete next to the firewall rule that you want to delete.
3. In the confirmation window, click Delete.

   The firewall rule is deleted and is no longer displayed in the table.

4. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Managing IP sets

The table of IP sets is displayed in the firewall template and on the CPE device:

• To display the table of IP sets in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the IP sets tab.
• To display the table of IP sets on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Firewall settings → IP sets tab.

Information about IP sets is displayed in the following columns of the table:

• Name is the name of the IP set.
• Match indicates whether the IP set is associated with the source or the destination of traffic packets, and whether the set contains IP addresses or subnets.
• Entries are IP addresses or subnets that have been added to the IP set.

Creating an IP set

You can create an IP set in a firewall template or on a CPE device. An IP set created in a firewall template is automatically created on all CPE devices that use this firewall template.

To create an IP set:

1. Create an IP set in one of the following ways:
   • If you want to create an IP set in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the IP sets tab.
   • If you want to create an IP set on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → IP sets tab, and select the Override check box.

   A table of IP sets is displayed.

2. Click + IP set.
3. This opens a window; in that window, in the Name field, enter the name of the IP set. Maximum length: 255 characters.
4. In the Direction drop-down list, select whether the IP set is associated with the source or the destination of traffic packets:
   • Match source if the IP set contains source IP addresses or subnets.
   • Match destination if the IP set contains destination IP addresses or subnets.
5. In the Type drop-down list, select whether the set contains IP addresses or subnets.
   • Set of subnets if the IP set contains subnets.
   • Set of IPs if the IP set contains IP addresses.
6. If in the Type drop-down list, you selected Set of subnets, specify a subnet. To do so, under Entries list, click + Add and enter an IPv4 prefix. You can specify ranges of IPv4 prefix octets using square brackets, for example, 192.[165-168].2.0/24.

   The subnet is specified and displayed under Entries list. You can specify multiple subnets or delete a subnet. To delete a subnet, click the delete icon next to it.

7. If in the Type drop-down list, you selected Set of IPs, specify an IP address. To do so, under Entries list, click + Add and enter an IPv4 address. You can specify ranges of IPv4 address octets using square brackets, for example, 192.[165-168].2.0.

   The IP address is specified and displayed in the Entries list section. You can specify multiple IP addresses or delete an IP address. To delete an IP address, click the delete icon next to it.

8. Click Create.

   The IP set is created and displayed in the table.

9. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Disabling or enabling an IP set

You can disable or enable an IP set in a firewall template or on a CPE device. An IP set enabled or disabled in a firewall template is automatically enabled or disabled on all CPE devices that use this firewall template.

To disable or enable an IP set:

1. Disable or enable an IP set in one of the following ways:
   • If you want to enable or disable an IP set in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the IP sets tab.
   • If you want to enable or disable an IP set on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → IP sets tab, and select the Override check box.

   A table of IP sets is displayed.

2. Click Disable or Enable next to the IP set that you want to disable or enable.

   The IP set is disabled or enabled.

3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Editing an IP set

You can edit an IP set in a firewall template or on a CPE device. An IP set modified in a firewall template is automatically modified on all CPE devices that use this firewall template.

To edit an IP set:

1. Edit an IP set in one of the following ways:
   • If you want to edit an IP set in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the IP sets tab.
   • If you want to edit an IP set on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → IP sets tab, and select the Override check box.

   A table of IP sets is displayed.

2. Click Edit next to the IP set that you want to edit.
3. This opens a window; in that window, if necessary, edit the IP set settings. For a description of the settings, see the instructions for creating an IP set.
4. Click Save.

   The IP set is modified and updated in the table.

5. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Deleting an IP set

You can delete an IP set in a firewall template or on a CPE device. An IP set deleted in a firewall template is automatically deleted on all CPE devices that use this firewall template.

Deleted IP sets cannot be restored.

To delete an IP set:

1. Delete an IP set in one of the following ways:
   • If you want to delete an IP set in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the IP sets tab.
   • If you want to delete an IP set on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → IP sets tab, and select the Override check box.

   A table of IP sets is displayed.

2. Click Delete next to the IP set that you want to delete.
3. In the confirmation window, click Delete.

   The IP set is deleted and is no longer displayed in the table.

4. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Managing DNAT rules

The table of DNAT rules is displayed in the firewall template and on the CPE device:

• To display the table of DNAT rules in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → DNAT tab.
• To display the table of DNAT rules on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Firewall settings → NAT → DNAT tab.

Information about DNAT rules is displayed in the following columns of the table:

• Name is the name of the DNAT rule.
• Incoming contains the criteria according to which the firewall applies the DNAT rule to traffic packets:
• Redirect to is the destination IP address and port of traffic packets after the DNAT rule is applied.

Creating a DNAT rule

You can create a DNAT rule in a firewall template or on a CPE device. A DNAT rule created in a firewall template is automatically created on all CPE devices that use this firewall template.

To create a DNAT rule:

1. Create a DNAT rule in one of the following ways:
   • If you want to create a DNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → DNAT tab.
   • If you want to create a DNAT rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → DNAT tab, and select the Override check box.

   A table of DNAT rules is displayed.

2. Click + DNAT.
3. This opens a window; in that window, in the Name field, enter the name of the DNAT rule. Maximum length: 255 characters.
4. Specify the criteria according to which the firewall must apply the DNAT rule to traffic packets:
   1. In the Protocol drop-down list, select the protocol of traffic packets to which the firewall applies the DNAT rule:
      • IP
      • TCP
      • UDP
      • # for custom or non-standard protocol. If you select this value, in the displayed Protocol number field, enter the protocol number in accordance with the IANA standard.
   2. In the Destination IP field, enter the destination IPv4 address or prefix of traffic packets to which the firewall applies the DNAT rule.
   3. If you want to apply the DNAT rule only to traffic packets with the specified source firewall zone, in the Source zone drop-down list, select a created firewall zone.
   4. If in the Protocol drop-down list, you selected TCP or UDP, and you want to apply the DNAT rule only to traffic packets with the specified destination port, enter the port number in the Destination port field. Range of values: 1 to 65,535.
   5. If you want to apply the DNAT rule only to traffic packets with the specified source IPv4 address or prefix, in the Source IP field, enter an IPv4 address or prefix.
5. Specify how the DNAT rule modifies traffic packets:
   1. In the Destination IP field, enter a new IPv4 destination address or prefix.
   2. In the Destination zone drop-down list, select the new destination firewall zone.
   3. If in the Protocol drop-down list, you selected TCP or UDP, and you want to change the destination port number of traffic packets, enter a new port number in the Destination port field. Range of values: 1 to 65,535.
6. Click Create.

   The DNAT rule is created and displayed in the table.

7. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Configuring the order of DNAT rules

DNAT rules are applied to traffic packets in descending order, starting with the first DNAT rule at the top of the table. By default, DNAT rules are displayed in the table in the order of creation. The earlier a DNAT rule was created, the higher it is displayed in the table.

You can configure the order in which DNAT rules are applied in a firewall template or on a CPE device. The order in which DNAT rules are applied, which is specified in the firewall template, is automatically propagated to all CPE devices that use this firewall template.

To configure the order in which DNAT rules are applied:

1. Edit the order in which the DNAT rules are applied in one of the following ways:
   • If you want to configure the order in which DNAT rules are applied in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → DNAT tab.
   • If you want to configure the order in which DNAT rules are applied on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → DNAT tab, and select the Override check box.

   A table of DNAT rules is displayed.

2. Configure the order in which DNAT rules are applied by clicking the Up and Down buttons next to it.
3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Disabling or enabling a DNAT rule

You can disable or enable a DNAT rule in a firewall template or on a CPE device. A DNAT rule enabled or disabled in a firewall template is automatically enabled or disabled on all CPE devices that use this firewall template.

To disable or enable a DNAT rule:

1. Disable or enable a DNAT rule in one of the following ways:
   • If you want to disable or enable a DNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template and in the displayed settings area, select the NAT → DNAT tab.
   • If you want to disable or enable a DNAT rule on a CPE device, go to the SD-WAN menu section → CPE, click the CPE device, in the displayed settings area, select the Firewall settings → NAT → DNAT tab and select the Override check box.

   A table of DNAT rules is displayed.

2. Click Disable or Enable next to the DNAT rule that you want to disable or enable.

   The DNAT rule is disabled or enabled.

3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Editing a DNAT rule

You can edit a DNAT rule in a firewall template or on a CPE device. A DNAT rule modified in a firewall template is automatically modified on all CPE devices that use this firewall template.

To edit a DNAT rule:

1. Edit a DNAT rule in one of the following ways:
   • If you want to edit a DNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → DNAT tab.
   • If you want to edit a DNAT rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → DNAT tab, and select the Override check box.

   A table of DNAT rules is displayed.

2. Click Edit next to the DNAT rule that you want to edit.
3. This opens a window; in that window, if necessary, edit the DNAT rule settings. For a description of the settings, see the instructions for creating a DNAT rule.
4. Click Save.

   The DNAT rule is modified and updated in the table.

5. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Deleting a DNAT rule

You can delete a DNAT rule in a firewall template or on a CPE device. A DNAT rule deleted in a firewall template is automatically deleted on all CPE devices that use this firewall template.

Deleted DNAT rules cannot be restored.

To delete a DNAT rule:

1. Delete a DNAT rule in one of the following ways:
   • If you want to delete a DNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → DNAT tab.
   • If you want to delete a DNAT rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → DNAT tab, and select the Override check box.

   A table of DNAT rules is displayed.

2. Click Delete next to the DNAT rule that you want to delete.
3. In the confirmation window, click Delete.

   The DNAT rule is deleted and is no longer displayed in the table.

4. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Managing SNAT rules

The table of SNAT rules is displayed in the firewall template and on the CPE device:

• To display the table of SNAT rules in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → SNAT tab.
• To display the table of SNAT rule groups on a CPE device, go to the SD-WAN → CPE menu section, click the device, select the Firewall settings → NAT → SNAT tab, and select the Override check box.

Information about SNAT rules is displayed in the following table columns:

• Name is the name of the SNAT rule.
• Outgoing are criteria according to which the firewall applies the SNAT rule to traffic packets.
• Action is the action that the SNAT rule applies to traffic packets.

Creating a SNAT rule

You can create a SNAT rule in a firewall template or on a CPE device. A SNAT rule created in a firewall template is automatically created on all CPE devices that use this firewall template.

To create a SNAT rule:

1. Create a SNAT rule in one of the following ways:
   • If you want to create a SNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → SNAT tab.
   • If you want to create a SNAT rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → SNAT tab, and select the Override check box.

   A table of SNAT rules is displayed.

2. Click + SNAT.
3. This opens a window; in that window, in the Name field, enter the name of the SNAT rule. Maximum length: 255 characters.
4. Specify the criteria according to which the firewall must apply the SNAT rule to traffic packets:
   1. In the Protocol drop-down list, select the protocol of traffic packets to which the firewall applies the SNAT rule:
   2. In the Destination zone drop-down list, select the created destination firewall zone of traffic packets to which the firewall applies the SNAT rule.
   3. If you want to apply the SNAT rule only to traffic packets with the specified source IPv4 address or prefix, in the Source IP field, enter an IPv4 address or prefix.
   4. If you want to apply the SNAT rule only to traffic packets with the specified destination IPv4 address or prefix, in the Destination IP field, enter an IPv4 address or prefix.
5. In the Action drop-down list, select SNAT.
6. In the SNAT IP field, enter a new source IP address or prefix that the SNAT rule specifies for traffic packets.
7. Click Create.

   The SNAT rule is created and displayed in the table.

8. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Configuring the order of SNAT rules

SNAT rules are applied to traffic packets in descending order, starting with the first SNAT rule at the top of the table. By default, SNAT rules are displayed in the table in the order of creation. The earlier a SNAT rule was created, the higher it is displayed in the table.

You can configure the order in which SNAT rules are applied in a firewall template or on a CPE device. The order in which SNAT rules are applied, which is specified in the firewall template, is automatically propagated to all CPE devices that use this firewall template.

To configure the order in which SNAT rules are applied:

1. Edit the order in which the SNAT rules are applied in one of the following ways:
   • If you want to configure the order in which SNAT rules are applied in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → SNAT tab.
   • If you want to configure the order in which SNAT rules are applied on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → SNAT tab, and select the Override check box.

   A table of SNAT rules is displayed.

2. Configure the order in which SNAT rules are applied by clicking the Up and Down buttons next to it.
3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Disabling or enabling a SNAT rule

You can disable or enable a SNAT rule in a firewall template or on a CPE device. A SNAT rule enabled or disabled in a firewall template is automatically enabled or disabled on all CPE devices that use this firewall template.

To disable or enable a SNAT rule:

1. Disable or enable a SNAT rule in one of the following ways:
   • If you want to enable or disable a SNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → SNAT tab.
   • If you want to enable or disable a SNAT rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → SNAT tab, and select the Override check box.

   A table of SNAT rules is displayed.

2. Click Disable or Enable next to the SNAT rule that you want to disable or enable.

   The SNAT rule is disabled or enabled.

3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Editing a SNAT rule

You can edit a SNAT rule in a firewall template or on a CPE device. A SNAT rule modified in a firewall template is automatically modified on all CPE devices that use this firewall template.

To edit a SNAT rule:

1. Edit a SNAT rule in one of the following ways:
   • If you want to edit a SNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → SNAT tab.
   • If you want to edit a SNAT rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → SNAT tab, and select the Override check box.

   A table of SNAT rules is displayed.

2. Click Edit next to the SNAT rule that you want to edit.
3. This opens a window; in that window, if necessary, edit the SNAT rule settings. For a description of the settings, see the instructions for creating a SNAT rule.
4. Click Save.

   The SNAT rule is modified and displayed in the table.

5. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Deleting a SNAT rule

You can delete a SNAT rule in a firewall template or on a CPE device. A SNAT rule deleted in a firewall template is automatically deleted on all CPE devices that use this firewall template.

Deleted SNAT rules cannot be restored.

To delete a SNAT rule:

1. Delete a SNAT rule in one of the following ways:
   • If you want to delete a SNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → SNAT tab.
   • If you want to delete a SNAT rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → SNAT tab, and select the Override check box.

   A table of SNAT rules is displayed.

2. Click Delete next to the SNAT rule that you want to delete.
3. In the confirmation window, click Delete.

   The SNAT rule is deleted and is no longer displayed in the table.

4. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Changing the firewall template of a CPE device

Editing a CPE device firewall template may result in loss of communication with other CPE devices, as well as the loss of relayed traffic packets.

To change the firewall template of a CPE device:

1. In the menu, go to the SD-WAN → CPE section.

   A table of CPE devices is displayed.

2. Click the CPE device for which you want to change the firewall template.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Configuration tab is selected, which displays general information about the CPE device. This tab also displays the table of Out-of-band management tasks being performed by the orchestrator.

3. In the Firewall template drop-down list, select a created firewall template.
4. In the upper part of the settings area, click Save to save CPE device settings.