beautypg.com

Creating ip rules or ip policies, Creating ip policy objects for internet access – Amer Networks E5Web GUI User Manual

Page 243

background image

Interface: wan

Network: all-nets

Gateway: isp_gw_ip

3.

Click OK

3.11.5. Creating IP Rules or IP Policies

Before traffic can flow to the ISP, appropriate IP Rule objects must be created to allow the traffic
to pass. An alternative to using IP rules is to use IP Policy objects which can simplify this process if
other options such as application control are being added.

At minimum, DNS and HTTP traffic should be allowed to flow so that web surfing can take place.
It may also be necessary to use NAT to share the single external IP address assigned to the
Clavister Security Gateway so that the internal network topology of private IPv4 addresses is
hidden.

If, for example, web surfing is going to be done from clients on the internal network lan_net
attached to the lan interface to the public Internet connected to the wan interface, then the IP
rules for DNS and HTTP would be:

Action

Src Interface

Src Network

Dest Interface

Dest Network

Service

NAT

lan

lan_net

wan

all-nets

dns-all

NAT

lan

lan_net

wan

all-nets

http-all

The service http-all includes both the HTTP and HTTPS protocols but not DNS so a second rule of
policy is needed. The single service all could have been used in a single rule but this is not
recommended as this means connections could be opened on any port number which can
compromise security. The best approach is to define the filter for traffic as narrowly as possible
which has been done here.

Example 3.44. Creating IP Policy Objects for Internet Access

This example creates an IP policy called surf_http that allows clients on the lan_net network to
access the public Internet. It is assumed that traffic is being NATed to the Internet using the
public IP address of the wan interface.

A second policy is also created called surf_dns which allows DNS queries.

Command-Line Interface

Create policy for the http-all service:

Device:/> add IPPolicy

SourceInterface=lan
SourceNetwork=lan_net
DestinationInterface=wan
DestinationNetwork=all-nets
Service=http-all
SourceAction=NAT
Name=surf_http

Repeat for the dns-all service:

Chapter 3: Fundamentals

243

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: