...
| Code Block | ||
|---|---|---|
| ||
# Ports for web traffic set resources group port-group WEB port 80 set resources group port-group WEB port 443 # Address group set resources group address-group BBC-SITE address-range 212.0.0.0 to 212.255.255.255 # User-defined application set service application rule 100 destination address BBC-SITE set service application rule 100 then name MYNEWS set service application rule 100 then protocol MYWEB set service application rule 100 then type MYNEWS # Application firewall # - accept traffic to the BBC # - drop all other applications set security application firewall name BBC-TRAFFIC rule 100 action accept set security application firewall name BBC-TRAFFIC rule 100 engine user name MYNEWS set security application firewall name BBC-TRAFFIC no-match-action drop # Allow DNS traffic set security firewall name DPI rule 100 action accept set security firewall name DPI rule 100 destination address 8.8.8.8 set security firewall name DPI rule 100 session # Send all web traffic through the application firewall set security firewall name DPI rule 200 action accept set security firewall name DPI rule 200 protocol tcp set security firewall name DPI rule 200 destination port WEB set security firewall name DPI rule 200 session application firewall BBC-TRAFFIC # Default action set security firewall name DPI rule 1000 action accept set security firewall name DPI rule 1000 session # Apply firewall to interface set interfaces dataplane dp0p1s2 firewall out DPI |
4.5 An application firewall is applied to traffic entering or leaving a GRE tunnel
Tunneled telnet and SSH traffic are dropped.
...
| Code Block | ||
|---|---|---|
| ||
# Apply firewall to tunnel set interfaces tunnel tun1 firewall out SFW |
4.6 An application firewall is applied to traffic entering or leaving a VFP IPSec tunnel
Tunneled telnet and SSH traffic are dropped.
...