Firewall FAQs

From Edge Threat Management Wiki - Arista
Revision as of 17:54, 6 June 2022 by Græmer (talk | contribs)
Jump to navigationJump to search

How does NG Firewall know the geographical location of an IP address?

NG Firewall uses a tool called GeoIP2 by Maxmind to determine an IP address' physical location in the world. More details about that service are available here: https://www.maxmind.com/en/geoip2-services-and-databases

Why doesn't the Firewall app have any rules enabled by default?

When NG Firewall is in router mode, it is performing NAT, which blocks all inbound sessions. When NG Firewall is in bridge mode, the NG Firewall is already behind a firewall, which is doing NAT.

The default is pass all?! Why? That's so insecure!

As explained above, most NG Firewall boxes are install in router mode meaning that NAT is being performed on traffic. This means all inbound traffic is blocked regardless of the settings in the Firewall, only explicitly port forwarded traffic goes inside your network. Alternatively, most bridge mode deployments are installed behind a NAT device so the Firewall app (and NG Firewall) will only see traffic that has already explicitly been passed with a port forward on the NAT device. What this means is that the "pass all" default in most scenarios means "block everything inbound but nothing outbound", which is common policy for a lot of organizations. In our opinion most of the Firewall's utility is for controlling outbound traffic, however you are free to add rules controlling inbound, outbound or any other type of traffic you wish.

Where do I add Port Forwards?

Port forwarding is a feature available in Config > Network > Port Forward Rules.


I want to lock-down my network but for a few exceptions. What is the best way to do this?

Simply add a rule with no qualifiers, set it to Block, and put it at the bottom of the list. This will match all traffic, so anything not explicitly passed in a rule above it will be blocked.


Why are my Firewall rules not being triggered?

Firewall rules work from top to bottom; the first rule that the traffic matches will fire. If you have a broad rule near the top of your list that is matching, no other rules will be evaluated.


Should I use pre-NAT or post-NAT addresses/ports in firewall rules?

Firewall rules always match on the address which has more information. In other words if the entire internal network is being NATd from 192.168.*.* to 1.2.3.4, Firewall will match on the 192.168.*.* for traffic to and from this network. At the session layer this works out to be pre-NAT on source address, post-NAT on destination address, pre-NAT on source port, and post-NAT on destination port. An easy way to remember this is that it always matches where it gets the most information.


I'm trying to use Firewall to filter NG Firewall administration access or SSH or local services. It's not working, why?

Firewall processing only TCP and UDP sessions going *through* NG Firewall. In order to filter/control sessions going to NG Firewall itself you will need to use Access Rules in Config > Network > Advanced > Access Rules.

Does Firewall use iptables?

No. Firewall has nothing to do with iptables. Firewall rules are not iptables rules.