Step 2: Create Cloud Firewall Policies
You must create Network Layer Policies to apply Cloud Firewall capabilities.
- From the Management Console, Select Protect > Access Control.
- Click the Network Layer Policy tab, click New.
- Enter a Name with only alphanumeric characters, no special characters other than the underscore, and no spaces.
- (Optional) Enter a Description.
- (Optional) To specify a time range in which this network policy will be applicable, click the Time Window toggle.Then, select these options:
- The days of the week for which you want to apply a time window
- The time range for those days
The time is calculated based on the Public IP address of the client where the traffic is coming from.
- To add another time window, click the + icon at the right, then select the days and time ranges for that time window.
To add a time range for after office hours, (for example, from 7:00 PM to 8:00 AM), you need to configure two time-window settings: the first for the hours up until midnight; the second for the hours starting at midnight and ending at the desired morning time.
To set after-office hours time window options:
- Set a time range from 7:00 PM until 0:00 (midnight).
- Click the + sign to add a time range from 0:00 (midnight) until 8:00 am.
- Click Next to select networks, context rules, and actions.
- From the left menu, select the networks to include in the policy.These are the Destination IP networks from the Category Management page.
- Under Context Rules, select the context types to include in the policy.For each context type, select the appropriate context.
Example: For the context type Source IP Addresses, select one or more IP addresses. These are the Source IP Networks from the Category Management page.
To view the complete list of context types, see Context types for Cloud Firewall policies.
- Select any Context Exceptions.The policy will exclude these context types from enforcement.
- Select an Application Service:
Select the protocol, Destination Port, and Source Port options. Select the protocol, Destination Port, and Source Port options.
Protocol Description Destination port Any Select Any if you want to create network layer policies for any protocol, any port. Any port - Any Destination port that exists will be used. (0 to 65535) TCP UDP To specify a TCP or UDP, you can also select Custom from the Protocol prompt and enter the protocol value in the Identifier field. From the Destination Port prompt, you can do one of the following:
- Specific ports - This is the default option. Enter a custom port number or select from the list of predefined port numbers.
- Any port: Any Destination port that exists will be used (0 to 65535).
ICMP ICMP (Internet Control Message Protocol, a connectionless protocol used to diagnose network issues, for example, whether data is reaching its destination in a timely manner). ICMP protocol does not have port numbers. Custom Enter an identifier for the service. This can be a value between 0-255 as defined in IANA protocol numbers. - Click Save after selecting the Destination port.
-
(Optional) Source Port: If you want to define a source port, you can enter a single port, a port range, or a comma-separated list of ports. If you leave this field blank, the policy match will be applied based on any source port value.
Data protection controls can be enforced for private web applications running on custom ports.
- Under Actions, select Allow & Log, Deny, or Allow & Inspect for private applications.
- Click Next.
- Review the policy settings and click Confirm.
If a device posture changes, the network layer policies will be applied based on the updated posture. Any connections that existed before the change in the device posture will be dropped and new connections will be established based on the new policy that is applicable.
