Configuring the filter policy

The filter policy can be configured in Configuration > Security Policy > Filter - NAT, Filtering tab.

Create the following rules for the purposes of our reference architecture:

  • A rule allowing DNS resolution,

  • A rule allowing the “in” network to access the "Internet" using HTTP,

  • A rule allowing the “in” network to access the "Internet" using HTTPS,

  • A rule allowing the “in” network to access the web server using HTTPS,

  • A rule allowing the “Internet” to reach the web server using HTTPS.

TIP
Add separators to your filter policy for better organization.

Enabling DNS resolution

  1. Click on New rule > Single rule.
  2. Double-click on the number of the new rule to edit it; a new window will open.
  3. In the General tab, Status field: select On.
  4. In the Action tab, Action field: select pass.
  5. In the Source tab, Source hosts field: select Network_in.
  6. In the Destination tab, Destination hosts field: select Internet.
  7. In the Port - Protocol tab, Port field: select dns_udp.
  8. Click on OK.

Allowing the “in” network to access the "Internet” using HTTP

  1. Click on New rule > Single rule.
  2. Double-click on the number of the new rule to edit it; a new window will open.
  3. In the General tab, Status field: select On.
  4. In the Action tab, Action field: select pass.
  5. In the Source tab, Source hosts field: select Network_in.
  6. In the Destination tab, Destination hosts field: select Internet.
  7. In the Port - Protocol tab, Port field: select http.
  8. In the Inspection tab, under Application inspection, URL filtering field: select a URL filter policy (URLFilter_00 in our example).
  9. Click on OK.

Allowing the “in” network to access the "Internet” using HTTPS

  1. Click on New rule > Single rule.
  2. Double-click on the number of the new rule to edit it; a new window will open.
  3. In the General tab, Status field: select On.
  4. In the Action tab, Action field: select pass.
  5. In the Source tab, Source hosts field: select Network_in.
  6. In the Destination tab, Destination hosts field: select Internet.
  7. In the Port - Protocol tab, Port field: select https.
  8. Click on OK.

Allowing the “in” network to access the web server using HTTPS

  1. Click on New rule > Single rule.
  2. Double-click on the number of the new rule to edit it; a new window will open.
  3. In the General tab, Status field: select On.
  4. In the Action tab, Action field: select pass.
  5. In the Source tab, Source hosts field: select Network_in.
  6. In the Destination tab, Destination hosts field: select the object that represents the web server (srv_web_private in our example).
  7. In the Port - Protocol tab, Port field: select https.
  8. Click on OK.

Allowing the “Internet” to reach the web server using HTTPS

  1. Click on New rule > Single rule.
  2. Double-click on the number of the new rule to edit it; a new window will open.
  3. In the General tab, Status field: select On.
  4. In the Action tab, Action field: select pass.
  5. In the Source tab:
    • Source hosts field: select Internet.
    • Incoming interface field: select out.
  6. In the Destination tab, Destination hosts field: select Firewall_out.
  7. In the Port - Protocol tab, Port field: select https.
  8. Click on OK.

Click on Apply to save changes.