Creating filter rules

NOTE
This section describes the process of creating filter rules that use specific QoS queues instead of default queues. This technical note will not cover the creation of filter rules for traffic other than from the LAN to the WAN or DMZ.

NOTE
We advise against specifying acknowledgment (ACK) queues in filter rules.
It is in fact preferable to let ACK traffic automatically join the acknowledgment (ACK) queues set by default on the relevant interfaces for such traffic.

Go to Security policy > Filter - NAT > Filtering tab.

Creating the filter rule to the remote FTP server

  1. In the drop-down list above the filter rule grid, select the security policy that you want to modify.
  2. Select the rule above which you want to add a new filter rule.
  3. Click on New rule and select Single rule.
    A new inactive rule is added to the filter policy.
    You can move this new rule by using the arrows .
  4. Double-click on this rule.

    The configuration window of the rule opens.
  5. Click on the General menu on the left.
  6. In the Status field, set the value to On.
  7. Click on the Action menu on the left.
  8. In the General tab, for the Action field, select pass.
  9. In the Quality of service tab, for the Queue field in the QoS section: select the queue created for FTP traffic (FTP_WAN_Q in this example).
  10. Click on the Source menu on the left.
  11. In the General tab, for the Source hosts field, select the hosts, host groups or networks allowed to use the FTP protocol (LAN_Clients network in this example).
  12. Click on the Destination menu on the left.
  13. In the General tab, for the Destination hosts field, click on Add and select the FTP server or server group (WAN_FTP_Server host in this example).
  14. Click on the Port - Protocol menu on the left.
  15. In the Port section, select the ftp object as the Destination port.
  16. Confirm the creation of the rule by clicking on OK.

NOTE
For protocols that generate child connections (FTP in this example), the queue specified in the filter rule automatically applies to child connections.

Creating the filter rule for traffic to Google Drive servers

  1. Select the rule above which you want to add a new filter rule.
  2. Click on New rule and select Single rule.
    A new inactive rule is added to the filter policy.
    You can move this new rule by using the arrows .
  3. Double-click on this rule.

    The configuration window of the rule opens.
  4. Click on the General menu on the left.
  5. In the Status field, set the value to On.
  6. Click on the Action menu on the left.
  7. In the General tab, for the Action field, select pass.
  8. In the Quality of service tab, for the Queue field in the QoS section, select the queue created for Google Drive traffic (GD_WAN_Q in this example).
  9. Click on the Source menu on the left.
  10. In the General tab, for the Source hosts field, select the hosts, host groups or networks allowed to access Google Drive (LAN_Clients network in this example).
  11. Click on the Destination menu on the left.
  12. In the Web services and reputations section, under the Geolocation/Reputation tab, select the Google Drive object.
  13. Click on the Port - Protocol menu on the left.
  14. In the Port section, select the https object as the Destination port.
  15. Confirm the creation of the rule by clicking on OK.

Creating the filter rule to the remote HTTP/HTTPS server

Follow the steps explained in the procedure Creating the filter rule to the remote FTP server with the following values for this example.#Règle

Status on
Action pass
Queue HTTP_WAN_Q
Source hosts LAN_Clients
Destination hosts the object corresponding to the remote HTTP/HTTPS server (WAN_PROD_Server in this example)
Destination port the http and https objects

Creating the filter rule to the remote VoIP server

Follow the steps explained in the procedure Creating the filter rule to the remote FTP server with the following values for this example.#Règle

Status on
Action pass
Queue SIP_WAN_Q
Source hosts LAN_VoIP_Clients
Destination hosts the object corresponding to the remote SIP server (WAN_VoIP_Server in this example)
Destination port the sip object

NOTE
For protocols that generate child connections (SIP in this example), the queue specified in the filter rule automatically applies to child connections.

Creating the filter rule to the HTTP/HTTPS server in the DMZ

Follow the steps explained in the procedure Creating the filter rule to the remote FTP server with the following values.#Règle

Status on
Action pass
Queue HTTP_DMZ_Q
Source hosts LAN_Clients
Destination hosts the object corresponding to the remote HTTP/HTTPS server (LOCAL_PROD_Server in this example)
Destination port the http and https objects

Creating the filter rule to the file server in the DMZ

Follow the steps explained in the procedure Creating the filter rule to the remote FTP server with the following values for this example.#Règle

Status on
Action pass
Queue SMB_DMZ_Q
Source hosts LAN_Clients
Destination hosts the object corresponding to the local file server (LOCAL_FILE_Server in this example)
Destination port the microsoft-ds object

Applying the modified security policy

To confirm changes and apply the new security policy, click on Apply, then on Yes, activate the policy.

The filter rules that use specific QoS queues will therefore look like this: