Comodo Help
Find the desired product help
Comodo Dome Firewall

Comodo Dome Firewall

Dome Cloud Firewall Quick Start Guide

English

Print Help Download Help
Comodo Dome Cloud Firewall – Quick Start > Step 4 – Configure Firewall Policy
  • Comodo Dome Cloud Firewall – Quick Start
    • Step 1 - Login To Dome Cloud Firewall
    • Step 2 – Configure The Network Interfaces
    • Step 3 – Configure Your Network / Clients To Connect To Dome Cloud Firewall
    • Step 4 – Configure Firewall Policy
    • Step 5 – Configure VPN Policy
    • Step 6 - View Logs
  • About Comodo Security Solutions

Step 4 – Configure Firewall Policy

 

Before creating a firewall policy, you must first configure firewall objects. Once done, objects can be used in a firewall policy, source network address translation (SNAT), system access rules and a VPN policy. You will be able to create a new firewall policy after configuring the following objects:

  • Firewall Addresses
  • Firewall Groups (optional)
  • Schedule (optional)
  • Active Directory (optional)

 

Firewall Addresses


The firewall address object can be created in two ways:

  • From the 'Add an Address' pane. Define a name for the object and the IP address, IP range or subnet of the host(s) to be included in the object. See section below for more details.
  • By importing users from Active Directory. See 'Active Directory' for more information.

To create a new firewall address objects
  • Click 'Firewall' > 'Objects' on the left menu and click the 'Firewall Addresses' tab
  • Click 'Add an address' at top left


  • Enter the parameters for the new object as shown below:
  • Name - Specify a name for the object (15 characters max) representing the host(s) included in the object.
  • Comment - Enter a short description of the object.
  • Type - Select the type by which the hosts are to be referred in the object. The available options are:
  • Subnet - Select this if a sub network of computers is to be covered by the object and enter the sub network address
  • IP address - Select this if a single host is to be covered by the object and enter the IP address of the host
  • IP range - Select this if more than one host is to be covered by the object and enter the IP address range of the hosts
  • FQDN – Select this if a fully qualified domain name is to be covered by the object and enter the same.
  • Click 'Add'. The new object will be added to the list.

The object will be available for selection for specifying source or destination while creating a firewall rule, by starting to type the first few letters of the object name.




See 'Manage Firewall Address Objects' if you need more help with this.


Firewall Groups (Optional)


The firewall object group can be created in two ways:

  • From the 'Add a Group' pane by defining a name for the group and the member objects to be included in the group. See section below for more details.
  • Importing users from Active Directory. See 'Active Directory' for more information.

To create a new object group

  • Open the 'Firewall Groups' interface by clicking the 'Firewall Groups' tab under 'Firewall' > 'Objects'
  • Click the 'Add a group' at the top left



  • Enter the parameters for the new group as shown below:
  • Name - Specify a name for the group (15 characters max).
  • Comment - Enter a short description of the group.
  • Addresses - Enter the names of the objects separated by comma, for inclusion in the group. Typing the first few letters of the name of an object will show the matching objects as a drop-down to select from.




  • Click 'Add'. The new object will be added to the list.

The group will be available for selection for specifying source or destination while creating a firewall rule, by starting to type the first few letters of the group name.



See 'Manage Firewall Object Groups' if you need more help with this.


Schedule (optional)

 

Scheduling allows you to specify the days and times when a firewall rule should be active. Schedule objects can be added to a rule like other objects.


To create a new schedule

  • Open the 'Schedule' interface by clicking the 'Schedule' tab under 'Firewall' > 'Objects'
      • Click 'Add a Schedule' at top left



        • Enter the parameters for the new schedule as shown below:
        • Name - Specify a name for the schedule.
        • Days - Select the days of the week at which the firewall should be active.
        • Start Time and Stop Time - Enter a time at which the firewall should be started and stopped at the selected days in 24 Hrs time format.
        • Click 'Add' for the new schedule to be created.

        The schedule will be available for selection while creating and editing individual firewall rules from the 'Policy Firewall' interface.



        See 'Manage Firewall Schedules' if you need more help with this.


        Active Directory (optional)

        Integrating your Active Directory (AD) server with Dome Cloud Firewall allows you to implement identity-based security on your network. Once a directory has been imported, DCF will map usernames to IP addresses, allowing you to apply firewall policies to individuals or groups.

        See 'Active Directory Integration' for details about importing AD to DCF.

        Once the AD has been successfully imported into DCF, the LDAP table in the Active Directory interface displays the domains. Clicking the domain name expands the tree structure of the active directory.


        You can add the users to firewall objects and user groups to firewall object groups from the tree LDAP table.


        Adding User to Firewall Objects

        • Click the Domain name to expand the tree structure of the active directory.
        • Locate the user by expanding the parents.
        • Click 'Add User' to add the user to Firewall Objects.



        Adding User Groups to Firewall Objects

        • Click the Domain name to expand the tree structure of the active directory.
        • Locate the user group by expanding the parents.
        • Click 'Add Group' to add the user group to Firewall Object Groups.



        Once the firewall objects configuration is completed, you can create a firewall policy.


        To create a new firewall rule

        • Open the 'Firewall Policy' interface by clicking 'Firewall' > 'Policy' from the left hand side navigation and selecting 'Firewall Policy' tab.

        • Click the 'Add a new firewall rule' link at the top left. The 'Policy Firewall Rule Editor' will open.



        The 'Policy Firewall Rule Editor' interface is divided into three areas for specifying the different components of the rule:

        Address Settings and Schedule

         -

         Choose the source and destination of the traffic and set a schedule for the rule to be active

        Service/Port

        -

        Specify the service pertaining to the traffic to be intercepted by the rule

        Policy Settings

         -

        Configure to allow or block the traffic intercepted by the rule

        Address Settings and Schedule

        • Incoming Interface - Choose the interface device or the physical port at which the traffic is received, from the drop-down.

        • Source Address – Choose the firewall object or the object group that covers the IP address, IP address range or the subnet, at which the traffic to be intercepted by the rule, is received.

        If a firewall object covering the IP address/IP Address range or the subnet to be specified has not been created under the Firewall Objects interface previously, you can create a new object from this interface too.

        • Outgoing Interface - Choose the interface device or the physical port to which the traffic is directed, from the drop-down.
        • Destination Address - Choose the 'Firewall Object' or 'Object Group' containing the IP address, IP Address Range or the subnet of the host(s) to which the traffic is directed, from the drop-down.
        If a firewall object covering the IP address/IP Address range or the subnet to be specified has not been created under the 'Firewall Objects' interface previously, you an create a new object from this interface too by clicking 'Create' from the drop-down.
        • Schedule - The 'Schedule Objects' added to the Firewall Objects > Schedule interface will be available in the drop-down. Choose the schedule object(s) that cover the time period(s) for which the rule needs to be active from the drop-down.
        If the schedule object covering the required time period P to be specified has not been created under the Firewall Objects > Schedule previously, you can create a new object from this interface too by clicking 'Create' from the drop-down.


        Service/Port


        Service/Port - Select the type or the service hosted by the source, the protocol and the port used by the service.

        • Service - Choose the type of service from the drop-down

        • Protocol - Choose the protocol used by the service

        • Destination port - Specify the destination port(s) of the service one by one, in the 'Destination Port' text box.

        Tip: DCF is configured with predefined combinations of service/protocol/port, like HTTP/TCP/80, [ALL]/TCP+UDP/0:65535, or [ANY], which is a shortcut for all services, protocols, and ports. If you want to specify custom protocol/port combination, then select 'User Defined' from the service. You can also specify additional destination ports for standard combinations, for  the services that run on ports different from the standard ones.

         

        Policy Settings

        • Action - Specify whether the packets matching the rule should be allowed or denied from the Policy drop-down. The options available are:

        • Allow - The data packets will be allowed without filtering
        • Deny - The packets will be dropped
        • Reject - The packets will be rejected, and error packets will be sent in response

        • Remark - Enter a short description for the rule. The description will appear in the Remark column of the Rules table.

        • Position - Set the priority for the rule in the list of rules in the respective rules interface. The rules in the iptables are processed in the order they appear on the list.

        • Enabled - Leave this checkbox selected if you want the rule to be activated upon creation.

        • Log all accepted packets - Select this checkbox if you want the packets allowed by the rule are to be logged.



        • Click 'Create Rule'. A confirmation dialog will appear.


        Configuring the Policy Firewall Settings


        The lower 'Policy Firewall Settings' pane allows the administrator to enable/disable the Policy firewall rules and to opt for logging the packets that pass the rule and analysis of HTTPS sites.



        • Use the 'Enable policy firewall' toggle switch to switch the state of the VPN firewall.
        • Select the 'Log accepted policy connections' check box to log the packets that has passed the Firewall Policy.
        • Select the 'Intercept SSL Traffic' check box in order for analysis of HTTPS sites. Please note the SSL certificate of DCF should be installed on endpoints for this feature to work.
        • Click 'Save' for your settings to take effect .

        Policy firewall rule activities are logged, including date, time, type of event, subject id, component name and event outcome.


        See 'Manage Firewall Configuration' if you need more help with this.


        Other firewall rules that can be configured from the firewall section include:

        • Source Network Address Translation (SNAT) rules. See 'Source Network Address Translation' for more details

        • Virtual IP rules – See 'Configure Virtual IP for Destination Network Address Translation' for more details

        • System Access rules – See 'Configure System Access' for more details.
        Our Products
        • Free Antivirus
        • Free Internet Security
        • Website Malware Removal
        • Free Anti-Malware
        • Anti-Spam (Free Trial)
        • Windows Antivirus
        • Antivirus for Windows 7
        • Antivirus for Windows 8
        • Antivirus for Windows 10
        • Antivirus for MAC
        • Antivirus for Linux
        • Free Endpoint Security
        • Free ModSecurity
        • Free RMM
        • Free Website Malware Scanner
        • Free Device Manager for Android
        • Free Demo
        • Network Security
        • Endpoint Protection
        • Antivirus for Android
        • Comodo Antivirus
        • Wordpress Security
        Cheap CDN
        • Bootstrap CDN
        • Semantic UI CDN
        • Jquery CDN
        • CDN Plans
        • CDN
        • Free CDN
        Enterprise
        • Patch Management Software
        • Patch Manager
        • Service Desk
        • Website Down
        • Endpoint Protection Solutions
        • Website Security Check
        • Remote Monitoring and Management
        • Website Security
        • Device Manager
        • ITSM
        • CRM
        • MSP
        • Android Device Manager
        • MDR Services
        • Ransomware Prevention
        • Managed IT Support Services
        • Free EDR
        Free SSL Certificate
        Support Partners Terms and Conditions Privacy Policy

        © Comodo Group, Inc. 2024. All rights reserved.