Creating filter rules

NOTE
This section describes the process of creating filter rules that use specific QoS queues instead of default queues. This technical note will not cover the creation of filter rules for traffic other than from the LAN to the WAN or DMZ.

Go to Security policy > Filter - NAT > Filtering tab.

Creating the filter rule for the FTP protocol

  1. In the drop-down list above the filter rule grid, select the security policy that you want to modify.
  2. Select the rule above which you want to add a new filter rule.
  3. Click on New rule and select Single rule.
    A new inactive rule is added to the filter policy.
    You can move this new rule by using the arrows .
  4. Double-click on this rule.
    The configuration window of the rule opens.

  5. Click on the General menu on the left.

  6. In the Status field, set the value to On.

  7. Click on the Action menu on the left.

  8. In the General tab, for the Action field, select pass.

  9. In the Quality of service tab, for the Queue field, select the queue created for FTP traffic to the WAN (FTP_WAN_Q in this example).

  10. Click on the Source menu on the left.

  11. In the General tab, for the Source hosts field, select the hosts, host groups or networks allowed to use the FTP protocol (LAN_Clients network in this example).

  12. Click on the Destination menu on the left.

  13. In the General tab, for the Destination hosts field, click on Add and select the FTP server or server group (WAN_FTP_Server host in this example).

  14. Click on the Port - Protocol menu on the left.

  15. In the Port section, for the Destination port, select the ftp object.

  16. Confirm the creation of the rule by clicking on OK.

NOTE
For protocols that generate child connections (FTP in this example), the queue specified in the filter rule automatically applies to child connections.

Creating the filter rule for YouTube

Follow the steps explained in the procedure Creating the filter rule for the FTP protocol with the following values for this example.#Règle

Status on
Action pass
Queue Leave the value suggested by default (Default queue).
When the intrusion prevention engine detects the YouTube application signature, it will assign the appropriate queue (YTB_WAN_Q in this example) to traffic affected by this rule.
Source hosts LAN_Clients
Destination hosts Internet
Destination port https

Applying the modified security policy

To confirm changes and apply the new security policy, click on Apply, then on Yes, activate the policy.

The filter rules that use specific QoS queues will therefore look like this: