The Umbrella cloud-delivered firewall provides firewall services, without the need to deploy, maintain and upgrade physical or virtual appliances at each site. The cloud-delivered firewall relies on your on-premise appliances to build tunnels to the Umbrella cloud without the need to upgrade or deploy any additional physical or virtual appliances.
Through the firewall policy rules written in the Umbrella dashboard, you can filter traffic at layer 3 and layer 4 that originates on the internal network but is destined for the internet. You can block apps at layer 7 as well.
- An internet connection that allows outbound IPsec traffic
- An Umbrella account with the cloud-delivered firewall feature enabled
- A network device capable of establishing an IPsec IKEv2 tunnel
For supported network devices, see Supported IPSec Parameters.
- Tunnel passphrase obtained from the Umbrella dashboard
- At least one tunnel added. For more information about adding tunnels, see Network Tunnel Configuration.
- Navigate to Policies > Management > Firewall Policy and click Add.
If Umbrella displays the message "You are missing a tunnel connection", click Add A Tunnel. Tunnels are required for firewall policies. For more information about adding tunnels, see Network Tunnel Configuration.
- Give your rule a good descriptive Name, a Description for the rule, and choose a Priority Order.
Priority Order positions rules in the Firewall Policy in the order in that rules are evaluated and then applied. Rules are applied sequentially, with the Default Rule always in the last position.
- Choose the rule's criteria:
- Protocol—The protocols to which the rule applies. Options are TCP, UDP, ICMP, or any.
- Applications—The applications and application categories to which the rule applies. For more information, see Application Categories.
- Source Tunnels—The source tunnel to which the rule applies.
Search for tunnels to add them. Up to three tunnels are displayed dynamically as you begin entering text.
- Source IPs/CIDRS—The tunnel's source addresses (IPs or CIDRs) to which the rule applies—in a plain-text list, delimited by commas, or "any".
- Source Ports—The tunnel's source ports to which the rule applies—in a plain-text list, delimited by commas, or "any".
- Destination IPs/CIDRS—The tunnel's destination addresses (IPs or CIDRs) to which the rule applies—in a plain-text list, delimited by commas, or "any".
- Destination Ports—The tunnel's destination ports to which the rule applies—in a plain-text list, delimited by commas, or "any".
- Choose a Time Zone, configure Start and Expiration dates and times.
Optionally, check Does Not Expire so that this rule never expires.
- Select an interval for the hit counter. If you disable logging for this firewall rule, the hit counter is also disabled. For more information, see Monitor Hit Count.
- Configure Rule Action:
a. Choose Block Traffic or Allow Traffic to specify what happens to traffic matching these Firewall policy rules.
b. Enable or Disable logging.
Note: Logging is disabled by default. If you disable logging, the hit counter is also disabled.
C. Enable or Disable this Firewall rule.
- Click Save.
Updated 4 days ago