Configure Firewall
Configure the Firewall module to define its behavior for a policy.
When designing the module's behavior and implementing it using the API, use the same background information and guidance that is provided in the Deep Security Help Center.
Policy objects contain two objects that you use to configure the Firewall module:
FirewallPolicyExtension
: Controls the module state (on or off), identifies the applied firewall rules, and identifies the stateful configuration to use with the module.PolicySettings
: Policy settings include many Firewall-related settings that control the runtime behavior of the module, such as the behavior of reconnaissance scans, network engine mode (tap or inline), network engine settings, and event management.Configure Firewall-related policy settings as described in Configure policy and default policy settings.
The following JSON represents the data structure of a FirewallPolicyExtension
object:
{ "state": "off", "moduleStatus": {...}, "globalStatefulConfigurationID": 1, "ruleIDs": [...] }
The moduleStatus
property is read-only. It provides the runtime status of the Firewall module. (See Report on Computer Status.)
General steps
To configure Firewall, use the following general steps:
- Create a
FirewallPolicyExtension
object and set the properties. - Create a
PolicySettings
object to configure runtime settings of the module. - Create a
Policy
object and add theFirewallPolicyExtension
andPolicySettings
objects. - Use a
PoliciesApi
object to add or update the policy on Deep Security Manager.
Create a FirewallPolicyExtension
object and set the state and rule IDs:
firewall_policy_extension = api.FirewallPolicyExtension() firewall_policy_extension.state = "on" firewall_policy_extension.rule_ids = rule_ids;
const firewallPolicyExtension = new api.FirewallPolicyExtension(); firewallPolicyExtension.state = api.FirewallPolicyExtension.StateEnum.on; firewallPolicyExtension.ruleIDs = ruleIDs;
FirewallPolicyExtension firewallPolicyExtension = new FirewallPolicyExtension(); firewallPolicyExtension.setState(FirewallPolicyExtension.StateEnum.ON); firewallPolicyExtension.setRuleIDs(ruleIDs);
Next, create a PolicySettings
objectto configure Firewall-related settings. (For detailed information about policy settings, seeConfigure policy and default policy settings.) For example, you can enable reconnaissance scans:
policy_settings = api.PolicySettings() setting_value = api.SettingValue() setting_value.value = True policy_settings.firewall_setting_reconnaissance_enabled = setting_value
const policySettings = new api.PolicySettings(); const settingValue = new api.SettingValue(); settingValue.value = "true"; policySettings.firewallSettingReconnaissanceEnabled = settingValue;
PolicySettings policySettings = new PolicySettings(); SettingValue settingValue = new SettingValue(); settingValue.setValue("true"); policySettings.setFirewallSettingReconnaissanceEnabled(settingValue);
At this point, the Firewall policy extension and the policy settings are configured. Next, add them to a Policy
object, and use a PoliciesApi
object to modify a policy on Deep Security Manager.
policy = api.Policy() policy.firewall = firewall_policy_extension policy.policy_settings = policy_settings policies_api = api.PoliciesApi(api.ApiClient(configuration)) returned_policy = policies_api.modify_policy(policy_id, policy, api_version)
const policy = new api.Policy(); policy.firewall = firewallPolicyExtension; policy.policySettings = policySettings; const policiesApi = new api.PoliciesApi(); return policiesApi.modifyPolicy(policyID, policy, apiVersion, { overrides: false });
Policy policy = new Policy(); policy.setFirewall(firewallPolicyExtension); policy.setPolicySettings(policySettings); PoliciesApi policiesApi = new PoliciesApi(); Policy returnedPolicy = policiesApi.modifyPolicy(policyID, policy, Boolean.FALSE, apiVersion);
The policy_id
(or policyID
) parameter of modifyPolicy
identifies the actual policy on Deep Security Manager that is to be modified. This policy is modified according to the policy object that is used as the policy
parameter. Any properties of the policy
parameter that are not set remain unchanged on the actual policy.
Example
The following example creates a Policy
object, modifies its FirewallPolicyExtension
, and configures a policy setting. The policy is then updated on Deep Security Manager.
policies_api = api.PoliciesApi(api.ApiClient(configuration)) policy = api.Policy() firewall_policy_extension = api.FirewallPolicyExtension() # Turn on firewall firewall_policy_extension.state = "on" # Assign rules firewall_policy_extension.rule_ids = rule_ids; # Add the firewall state to the policy policy.firewall = firewall_policy_extension # Turn on reconnaissance scan policy_settings = api.PolicySettings() setting_value = api.SettingValue() setting_value.value = True policy_settings.firewall_setting_reconnaissance_enabled = setting_value # Add reconnaissance scan state to the policy policy.policy_settings = policy_settings # Modify the policy on Deep Security Manager return policies_api.modify_policy(policy_id, policy, api_version)
const policy = new api.Policy(); const policiesApi = new api.PoliciesApi(); const firewallPolicyExtension = new api.FirewallPolicyExtension(); // Turn on firewall firewallPolicyExtension.state = api.FirewallPolicyExtension.StateEnum.on; // Assign rules firewallPolicyExtension.ruleIDs = ruleIDs; // Add to the policy policy.firewall = firewallPolicyExtension; // Turn on reconnaisance scan const policySettings = new api.PolicySettings(); const settingValue = new api.SettingValue(); settingValue.value = "true"; policySettings.firewallSettingReconnaissanceEnabled = settingValue; // Add to the policy policy.policySettings = policySettings; // Send the change to Deep Security Manager policiesApi .modifyPolicy(policyID, policy, apiVersion, { overrides: false }) .then(modifiedPolicy => { resolve(modifiedPolicy.ID); }) .catch(error => { reject(error); });
// Turn on Firewall FirewallPolicyExtension firewallPolicyExtension = new FirewallPolicyExtension(); firewallPolicyExtension.setState(FirewallPolicyExtension.StateEnum.ON); // Add rules firewallPolicyExtension.setRuleIDs(ruleIDs); // Add to the policy Policy policy = new Policy(); policy.setFirewall(firewallPolicyExtension); // Turn on Reconnaissance Scan PolicySettings policySettings = new PolicySettings(); SettingValue settingValue = new SettingValue(); settingValue.setValue("true"); policySettings.setFirewallSettingReconnaissanceEnabled(settingValue); // Add to the policy policy.setPolicySettings(policySettings); // Update the policy on Deep Security Manager PoliciesApi policiesApi = new PoliciesApi(); return policiesApi.modifyPolicy(policyId, policy, Boolean.FALSE, apiVersion);
Also see the Modify a Policy operation in the API Reference.
If you only need to add, remove, or list Firewall rules for a policy, use the PolicyFirewallRuleAssignmentsApi
class. The previous example uses the FirewallPolicyExtension
, Policy
, and PoliciesApi
classes to add Firewall rules, but this can also be done using only the PolicyFirewallRuleAssignmentsApi
class. For more information, see Policy Firewall Rule Assignments in the Policies section of the API Reference.
For information about authenticating API calls, see Authenticate with Deep Security Manager.
Create a firewall rule
Generally, to create a Firewall rule you perform the following steps:
- Create a
FirewallRule
object. -
Set the rule properties. The properties are as described in the Deep Security Help Center.
You can use the API to create related objects that can be used with multiple rules, such as MAC lists, rule contexts, and schedules. See Create and Modify Listsand Create and Configure Schedules.
-
Create a
FirewallRulesApi
object to create the rule on Deep Security Manager.
Although Log Inspection rules have different properties than Firewall rules, the way you create the rules are similar. You might find the Create a basic Log Inspection rule example helpful.
To use the API to create a Firewall rule, send a POST request to the /api/firewallrules
endpoint. (See the Create a Firewall Rule operation in the API Reference.)
Limitations to configuring stateful configurations
The following properties of stateful configurations are supported only for Deep Security Agent version 8.0 and earlier versions:
- ACK storm protection
- Allow incoming or outgoing passive and active FTP connections
Therefore, these properties are not configurable using the API or an SDK. You must use the Deep Security Manager console to configure these settings. See Define stateful firewall configurations in the Deep Security Help Center.