Configure Firewall

Configure the Firewall module to define its behavior for a policy.

When designing the module's behavior and implementing it using the API, use the same background information and guidance that is provided in the Deep Security Help Center.

Policy objects contain two objects that you use to configure the Firewall module:

  • FirewallPolicyExtension: Controls the module state (on or off), identifies the applied firewall rules, and identifies the stateful configuration to use with the module.
  • PolicySettings: Policy settings include many Firewall-related settings that control the runtime behavior of the module, such as the behavior of reconnaissance scans, network engine mode (tap or inline), network engine settings, and event management.Configure Firewall-related policy settings as described in Configure policy and default policy settings.

The following JSON represents the data structure of a FirewallPolicyExtension object:

{
    "state": "off",
    "moduleStatus": {...},
    "globalStatefulConfigurationID": 1,
    "ruleIDs": [...]
}

The moduleStatus property is read-only. It provides the runtime status of the Firewall module. (See Report on Computer Status.)

General steps

To configure Firewall, use the following general steps:

  1. Create a FirewallPolicyExtension object and set the properties.
  2. Create a PolicySettings object to configure runtime settings of the module.
  3. Create a Policy object and add the FirewallPolicyExtension and PolicySettings objects.
  4. Use a PoliciesApi object to add or update the policy on Deep Security Manager.

Create a FirewallPolicyExtension object and set the state and rule IDs:

Python
firewall_policy_extension = api.FirewallPolicyExtension()
firewall_policy_extension.state = "on"
firewall_policy_extension.rule_ids = rule_ids;
JavaScript
const firewallPolicyExtension = new api.FirewallPolicyExtension();
firewallPolicyExtension.state = api.FirewallPolicyExtension.StateEnum.on;
firewallPolicyExtension.ruleIDs = ruleIDs;
Java
FirewallPolicyExtension firewallPolicyExtension = new FirewallPolicyExtension();
firewallPolicyExtension.setState(FirewallPolicyExtension.StateEnum.ON);
firewallPolicyExtension.setRuleIDs(ruleIDs);

Next, create a PolicySettings objectto configure Firewall-related settings. (For detailed information about policy settings, seeConfigure policy and default policy settings.) For example, you can enable reconnaissance scans:

Python
policy_settings = api.PolicySettings()
setting_value = api.SettingValue()
setting_value.value = True
policy_settings.firewall_setting_reconnaissance_enabled = setting_value
JavaScript
const policySettings = new api.PolicySettings();
const settingValue = new api.SettingValue();
settingValue.value = "true";
policySettings.firewallSettingReconnaissanceEnabled = settingValue;
Java
PolicySettings policySettings = new PolicySettings();
SettingValue settingValue = new SettingValue();
settingValue.setValue("true");
policySettings.setFirewallSettingReconnaissanceEnabled(settingValue);

At this point, the Firewall policy extension and the policy settings are configured. Next, add them to a Policy object, and use a PoliciesApiobject to modify a policy on Deep Security Manager.

Python
policy = api.Policy()
policy.firewall = firewall_policy_extension
policy.policy_settings = policy_settings

policies_api = api.PoliciesApi(api.ApiClient(configuration))
returned_policy = policies_api.modify_policy(policy_id, policy, api_version)
JavaScript
const policy = new api.Policy();
policy.firewall = firewallPolicyExtension;
policy.policySettings = policySettings;

const policiesApi = new api.PoliciesApi();
return policiesApi.modifyPolicy(policyID, policy, apiVersion, { overrides: false });
Java
Policy policy = new Policy();
policy.setFirewall(firewallPolicyExtension);
policy.setPolicySettings(policySettings);

PoliciesApi policiesApi = new PoliciesApi();
Policy returnedPolicy = policiesApi.modifyPolicy(policyID, policy, Boolean.FALSE, apiVersion);

The policy_id (or policyID) parameter of modifyPolicy identifies the actual policy on Deep Security Manager that is to be modified. This policy is modified according to the policy object that is used as the policy parameter. Any properties of the policy parameter that are not set remain unchanged on the actual policy.

Example

The following example creates a Policy object, modifies its FirewallPolicyExtension, and configures a policy setting. The policy is then updated on Deep Security Manager.

Python
View source
policies_api = api.PoliciesApi(api.ApiClient(configuration))
policy = api.Policy()
firewall_policy_extension = api.FirewallPolicyExtension()

# Turn on firewall
firewall_policy_extension.state = "on"

# Assign rules
firewall_policy_extension.rule_ids = rule_ids;

# Add the firewall state to the policy
policy.firewall = firewall_policy_extension

# Turn on reconnaissance scan
policy_settings = api.PolicySettings()
setting_value = api.SettingValue()
setting_value.value = True
policy_settings.firewall_setting_reconnaissance_enabled = setting_value

# Add reconnaissance scan state to the policy
policy.policy_settings = policy_settings

# Modify the policy on Deep Security Manager
return policies_api.modify_policy(policy_id, policy, api_version)
JavaScript
View source
const policy = new api.Policy();
const policiesApi = new api.PoliciesApi();
const firewallPolicyExtension = new api.FirewallPolicyExtension();

// Turn on firewall
firewallPolicyExtension.state = api.FirewallPolicyExtension.StateEnum.on;

// Assign rules
firewallPolicyExtension.ruleIDs = ruleIDs;

// Add to the policy
policy.firewall = firewallPolicyExtension;

// Turn on reconnaisance scan
const policySettings = new api.PolicySettings();
const settingValue = new api.SettingValue();
settingValue.value = "true";
policySettings.firewallSettingReconnaissanceEnabled = settingValue;

// Add to the policy
policy.policySettings = policySettings;

// Send the change to Deep Security Manager
policiesApi
  .modifyPolicy(policyID, policy, apiVersion, { overrides: false })
  .then(modifiedPolicy => {
    resolve(modifiedPolicy.ID);
  })
  .catch(error => {
    reject(error);
  });
Java
View source
// Turn on Firewall
FirewallPolicyExtension firewallPolicyExtension = new FirewallPolicyExtension();
firewallPolicyExtension.setState(FirewallPolicyExtension.StateEnum.ON);

// Add rules
firewallPolicyExtension.setRuleIDs(ruleIDs);

// Add to the policy
Policy policy = new Policy();
policy.setFirewall(firewallPolicyExtension);

// Turn on Reconnaissance Scan
PolicySettings policySettings = new PolicySettings();
SettingValue settingValue = new SettingValue();
settingValue.setValue("true");
policySettings.setFirewallSettingReconnaissanceEnabled(settingValue);

// Add to the policy
policy.setPolicySettings(policySettings);

// Update the policy on Deep Security Manager
PoliciesApi policiesApi = new PoliciesApi();
return policiesApi.modifyPolicy(policyId, policy, Boolean.FALSE, apiVersion);

Also see the Modify a Policy operation in the API Reference.

If you only need to add, remove, or list Firewall rules for a policy, use the PolicyFirewallRuleAssignmentsApi class. The previous example uses the FirewallPolicyExtension, Policy, and PoliciesApi classes to add Firewall rules, but this can also be done using only the PolicyFirewallRuleAssignmentsApi class. For more information, see Policy Firewall Rule Assignments in the Policies section of the API Reference.

For information about authenticating API calls, see Authenticate with Deep Security Manager.

Create a firewall rule

Generally, to create a Firewall rule you perform the following steps:

  1. Create a FirewallRuleobject.
  2. Set the rule properties. The properties are as described in the Deep Security Help Center.

    You can use the API to create related objects that can be used with multiple rules, such as MAC lists, rule contexts, and schedules. See Create and Modify Listsand Create and Configure Schedules.

  3. Create a FirewallRulesApi object to create the rule on Deep Security Manager.

Although Log Inspection rules have different properties than Firewall rules, the way you create the rules are similar. You might find the Create a basic Log Inspection rule example helpful.

To use the API to create a Firewall rule, send a POST request to the /api/firewallrules endpoint. (See the Create a Firewall Rule operation in the API Reference.)

Limitations to configuring stateful configurations

The following properties of stateful configurations are supported only for Deep Security Agent version 8.0 and earlier versions:

  • ACK storm protection
  • Allow incoming or outgoing passive and active FTP connections

Therefore, these properties are not configurable using the API or an SDK. You must use the Deep Security Manager console to configure these settings. See Define stateful firewall configurations in the Deep Security Help Center.