Filter Incoming Traffic For A Custom Policy - Watchguard Firebox X15 User Manual

Firewall Policies
Add a custom packet filter policy manually
You can add a custom policy without the wizard.
1. To connect to the System Status page, type
of the Firebox X Edge trusted interface.
The default URL is: https://192.168.111.1
2. From the navigation bar, select Firewall > Incoming for incoming or Firewall > Outgoing for
outgoing.
The Filter Traffic page appears.
3. Scroll to the bottom of the page.
4. Below Custom Packet Filter Policies, click Add Packet Filter Policy.
The Custom Policy page appears.
5. In the Policy Name text box, type the name for your policy.
6. From the Protocol Settings drop-down list, select TCP Port, UDP Port, or Protocol.
7. In the text box adjacent to the Port/Protocol drop-down list, type a port number or protocol number.
To use a single port, type a port number in the first text box. To use a range of ports, type the lower port
number in the first text box, and the higher port number in the second text box.
8. Click Add.
9. Repeat steps 6-8 until you have a list of all the ports and protocols that this policy uses. You can add
more than one port and more than one protocol for a custom policy. More ports and protocols make
the network less secure. Add only the ports and protocols that are necessary for your organization.

Filter incoming traffic for a custom policy

These steps restrict incoming traffic for a policy to specified computers behind the firewall. For information on
how to control outgoing traffic, see
1. From the Incoming Filter drop-down list, select Allow or Deny.
2. If you set the Incoming Filter to Allow, type the IP address of the service host. This is the computer that
receives the traffic.
3. If you want to redirect traffic managed by this policy to another port, type the port number in the text
box adjacent to Port Redirect.
For more information, see
4. To limit incoming traffic from the external network to the service host, use the drop-down list to select
Host IP Address, Network IP Address, or Host Range.
5. In the address text boxes, type the host or network IP address, or type the range of IP addresses that
identify the computers on the external network that can send traffic to the service host.
You must type network IP addresses in slash notation. For more information, see
6. Click Add. The From box shows the host range, host IP address, or network IP address that you typed.
7. Repeat steps 4-6 until all of the address information for this custom policy is set. The From box can
have more than one entry.
8. If this policy is only for incoming traffic, keep the outgoing filter set to No Rule.
9. Click Submit.
122
An IP protocol number is not the same as a TCP or UDP port number. TCP is IP protocol number 6
and UDP is IP protocol number 17. If you use an IP protocol that is not TCP or UDP, you must enter
its number. IP protocol numbers include 47 for GRE (Generic Routing Encapsulation) and 50 for ESP
(Encapsulated Security Payload). TCP or UDP numbers are the most common. You can find a list of
protocol numbers at http://www.iana.org/assignments/protocol-numbers.
Filter outgoing traffic for a custom
About static NAT.
in the browser address bar, and the IP address
https://
policy.
About slash notation.
Firebox X Edge e-Series