The Umbrella cloud-delivered firewall provides firewall services, without the need to deploy, maintain and upgrade physical or virtual appliances at each site. The cloud-delivered firewall relies on your on-premise appliances to build tunnels to the Umbrella cloud without the need to upgrade or deploy any additional physical or virtual appliances.
Through the firewall policy rules written in the Umbrella dashboard, you can filter traffic at layer 3 and layer 4 that originates on the internal network but is destined for the internet. You can block apps at layer 7 as well.
- An internet connection that allows outbound IPsec traffic
- An Umbrella account with the cloud-delivered firewall feature enabled
- A network device capable of establishing an IPsec IKEv2 tunnel
For supported network devices, see Supported IPSec Parameters.
- Tunnel passphrase obtained from the Umbrella dashboard
- At least one tunnel added. For more information about adding tunnels, see Network Tunnel Configuration.
- Navigate to Policies > Management > Firewall Policy and click Add.
If Umbrella displays the message "You are missing a tunnel connection", click Add A Tunnel. Tunnels are required for firewall policies. For more information about adding tunnels, see Network Tunnel Configuration.
- Give your rule a good descriptive Name, a Description for the rule, and choose a Priority Order.
Priority Order positions rules in the Firewall Policy in the order in that rules are evaluated and then applied. Rules are applied sequentially, with the Default Rule always in the last position.
- Choose the rule's criteria:
- Protocol—The protocols to which the rule applies. Options are TCP, UDP, ICMP, or any.
- Applications—The applications and application categories to which the rule applies. For more information, see Application Categories.
- Source Tunnels—The source tunnel to which the rule applies.
Search for tunnels to add them. Up to three tunnels are displayed dynamically as you begin entering text.
- Source IPs/CIDRS—The tunnel's source addresses (IPs or CIDRs) to which the rule applies—in a plain-text list, delimited by commas, or "any".
- Source Ports—The tunnel's source ports to which the rule applies—in a plain-text list, delimited by commas, or "any".
- Destination IPs/CIDRS—The tunnel's destination addresses (IPs or CIDRs) to which the rule applies—in a plain-text list, delimited by commas, or "any".
- Destination Ports—The tunnel's destination ports to which the rule applies—in a plain-text list, delimited by commas, or "any".
- Choose a Time Zone, configure Start and Expiration dates and times.
Optionally, check Does Not Expire so that this rule never expires.
- Select an interval for the hit counter. If you disable logging for this firewall rule, the hit counter is also disabled. For more information, see Monitor Hit Count.
- Configure Rule Action:
a. Choose Block Traffic or Allow Traffic to specify what happens to traffic matching these Firewall policy rules.
b. Enable or Disable logging.
Note: Logging is disabled by default. If you disable logging, the hit counter is also disabled.
c. Enable or Disable this Firewall rule.
- Click Save.
By selecting a Network Tunnel identity in a firewall policy, the following identities may also apply to the firewall policy rule:
- Internal Network
You can add Network Tunnel identities to a firewall policy and define actions, ports, protocols, and applications in a firewall policy rule. Umbrella evaluates each firewall policy rule, starting with the highest ranked rule. When an identity and destination match a rule, Umbrella applies the action defined in the rule.
For example, if an identity requests a web application on port 80 or 443, Umbrella first checks for a matching firewall policy rule. If Umbrella finds a matching firewall policy rule, the cloud-delivered firewall (CDFW) applies the action defined in the rule.
For web application requests, Umbrella applies this sequence of checks.
- Match a firewall policy rule to an identity and destination.
- If the matching rule defines a Block action, the Umbrella cloud-delivered firewall blocks the request.
- If the matching rule defines an Allow action, the Umbrella cloud-delivered firewall forwards the request to the Umbrella secure web gateway (SWG). The secure web gateway applies the security settings defined in the Web policy. To learn about the Umbrella Web policy, see Manage the Web Policy.
Updated 2 months ago