Managing firewall zones

You can view the table of common firewall zones or the table of firewall zones on the CPE device:

• To display the table of common firewall zones, go to the SD-WAN → Firewall zones menu section.
• To display the table of firewall zones on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Firewall settings → Zones tab.

The following firewall zones are created by default:

• wan (WAN firewall zone) is the firewall zone for network interfaces that are connected to the WAN, for example, to the internet or the service provider network. Masquerading is enabled in the settings of the firewall WAN zone to replace the source IP address of outbound traffic packets from the firewall zone with the IP address assigned to the egress network interface.
• lan (LAN firewall zone) is the firewall zone for network interfaces that are connected to the LAN.
• mgmt (management firewall zone) is the firewall zone for the network interface that is used for passive monitoring of the CPE device by the Zabbix monitoring system, as well as for the SSH connection of the orchestrator to the CPE device.

You cannot delete the default firewall zones or create firewall zones with the same names.

When you upgrade Kaspersky SD-WAN from version 2.1 to 2.2, the following changes are made in the settings of all CPE templates:

• sdwan<0–4> network interfaces are automatically added to the WAN zone of the firewall.
• lan, br-lan, and overlay network interfaces are automatically added to the LAN zone of the firewall.

Information about common firewall zones is displayed in the following columns of the table:

• Name is the name of the firewall zone.
• Usage indicates whether the firewall zone is being used by firewall templates, CPE templates, and/or CPE devices:
  • Yes
  • No
• Author is the name of the user that created the firewall zone.
• Created is the date and time when the firewall zone was created.

The actions that you can perform with the table are described in the Managing solution component tables instructions.

Information about firewall zones on the CPE device is displayed in the following columns of the table:

• Name is the name of the firewall zone.
• Settings contains the actions that the firewall applies to traffic packets.
• Interfaces/Networks are network interfaces and subnets that have been added to the firewall zone.

Creating a firewall zone

You can create a common firewall zone or a firewall zone on the CPE device.

To create a firewall zone:

1. Create a firewall zone in one of the following ways:
   • If you want to create a common firewall zone, go to the SD-WAN → Firewall zones section and in the upper part of the page, click + Firewall zone.
   • If you want to create a firewall zone on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → Zones tab, select the Override check box, and click + Firewall zone.

   A table of firewall zones is displayed.

2. This opens a window; in that window, in the Name field, enter the name of the firewall zone. Maximum length: 255 characters.
3. In the Input drop-down list, select the action that the firewall applies to inbound traffic packets:
4. In the Output drop-down list, select the action that the firewall applies to outbound traffic packets:
5. In the Forwarding drop-down list, select the action that the firewall applies to traffic packets forwarded between network interfaces and subnets:
6. If you want to enable masquerading to replace the source IP address of outbound traffic packets from the firewall zone with the IP address assigned to the egress network interface:
7. Clear the MSS clamp to PMTU check box if you do not want the firewall to limit the Maximum Segment Size (MSS) of traffic packets relayed through the firewall zone to the Path Maximum Transmission Unit (PMTU) value minus 40. The purpose of subtracting 40 is to exclude the size of the TCP header. This check box is selected by default.
8. If you want the firewall to keep a log of traffic packets dropped in the firewall zone, select the Drops logging check box. If logs created on a CPE device are sent to a Syslog server, you can view the logs on that server. If logs created on the CPE device are stored locally, you can view the logs by requesting diagnostic information. This check box is cleared by default.
9. If network interfaces are connected to L3 switches or routers, and you want to relay traffic packets from subnets of these L3 switches or routers, add a subnet to the firewall zone. To do so, under Networks, click + Add and enter an IPv4 subnet prefix.

   The subnet is added and displayed under Networks. You can add multiple subnets or delete a subnet. To delete a subnet, click the delete icon next to it.

10. Click Create.

    The firewall zone is created and displayed in the table.

11. If you have created a firewall zone on a CPE device, click Save in the upper part of the settings area to save the CPE device settings.

You must add network interfaces to the created firewall zone. You can do this when creating or editing a network interface. If you created a firewall zone on a CPE device, the network interfaces that you add to the firewall zone must be created on the same CPE device.

Editing the name of the firewall common zone

You can edit the name of the created common firewall zone. The process of editing the name of a firewall zone on a CPE device is described in the instructions on editing a firewall zone on the CPE device.

To edit the name of a common firewall zone:

1. In the menu, go to the SD-WAN → Firewall zones section.

   A table of firewall zones is displayed.

2. Click the common firewall zone whose name you want to edit.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Rename of Firewall zone.
4. This opens a window; in that window, change the name of the common firewall zone.
5. Click Rename.

The name of the common firewall zone is modified and updated in the table.

Cloning a firewall common zone

You can clone the created common firewall zone to create an identical common firewall zone with a different name. Cloning firewall zones on a CPE device is not supported.

To clone a common firewall zone:

1. In the menu, go to the SD-WAN → Firewall zones section.

   A table of firewall zones is displayed.

2. Click the common firewall zone which you want to clone.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Clone.
4. This opens a window; in that window, enter a name for the new common firewall zone.
5. Click Clone.

A copy of the common firewall zone with the new name is created and displayed in the table.

Viewing the usage of a firewall common zone

You can see which firewall templates, CPE templates, and CPE devices are using the created common zone. If the common firewall zone is in use, it cannot be deleted.

To view the usage of a common firewall zone:

1. In the menu, go to the SD-WAN → Firewall zones section.

   A table of firewall zones is displayed.

2. Click the common firewall zone whose usage you want to view.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Show usage.

This opens a window with a table of firewall templates, CPE templates, and CPE devices that are using the common firewall zone.

Editing a firewall zone on a CPE device

You can edit a firewall zone on a CPE device. You cannot edit a common firewall zone because it can be used by a large number of CPE templates and CPE devices, and editing such a firewall zone would result in a mass update of all CPE templates and CPE devices that are using it, which would overload the orchestrator. If you want to edit the common firewall zone, you must create a new common firewall zone. To the created common firewall zone, you can add network interfaces and subnets that were added to the previous common firewall zone.

To edit a firewall zone on a CPE device:

1. In the menu, go to the SD-WAN → CPE section.

   A table of CPE devices is displayed.

2. Click the CPE device on which you want to edit the firewall zone.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Configuration tab is selected, which displays general information about the CPE device. This tab also displays the table of Out-of-band management tasks being performed by the orchestrator.

3. Select the Firewall settings → Zones tab.

   A table of firewall zones is displayed.

4. Select the Override check box.
5. Click Edit next to the firewall zone that you want to edit.
6. This opens a window; in that window, if necessary, edit the firewall zone settings. For a description of the settings, see the instructions for creating a firewall zone.
7. Click Save.

   The firewall zone is modified and updated in the table.

8. In the upper part of the settings area, click Save to save CPE device settings.

Deleting a firewall zone

You can delete a common firewall zone or a firewall zone on the CPE device.

Deleted firewall zones cannot be restored.

Deleting a firewall common zone

You cannot delete a common firewall zone if it is being used by at least one firewall template, CPE template, or CPE device. You must view the usage of the common firewall zone and make sure that it is not being used.

To delete a common firewall zone:

1. In the menu, go to the SD-WAN → Firewall zones section.

   A table of firewall zones is displayed.

2. Click the common firewall zone which you want to delete.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

3. In the upper part of the settings area, under Actions, click Delete.
4. In the confirmation window, click Delete.

The common firewall zone is deleted and is no longer displayed in the table.

Deleting a firewall zone on a CPE device

To delete a firewall zone on a CPE device:

1. In the menu, go to the SD-WAN → CPE section.

   A table of CPE devices is displayed.

2. Click the CPE device on which you want to delete the firewall zone.

   The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon . By default, the Configuration tab is selected, which displays general information about the CPE device. This tab also displays the table of Out-of-band management tasks being performed by the orchestrator.

3. Select the Firewall settings → Zones tab.

   A table of firewall zones is displayed.

4. Select the Override check box.
5. Click Delete next to the firewall zone that you want to delete.
6. In the confirmation window, click Delete.

   The firewall zone is deleted and is no longer displayed in the table.

7. In the upper part of the settings area, click Save to save CPE device settings.