Deep Security 10.1 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Firewall Rules
Firewall Rules examine the control information in individual packets. The Rules either block or allow those packets based on rules that are defined on these pages. Firewall Rules are assigned directly to computers or to Policies which are in turn assigned to a computer or collection of computers.
Firewall Rule icons:
-
Normal Firewall Rules
-
Firewall Rules that operate according to a schedule
From the main page you can:
- Create New (
) Firewall Rules
- Import (
) Firewall Rules from an XML file (located under the New menu.)
- Examine or modify the Properties of an existing Firewall Rule (
)
- Duplicate (and then modify) existing Firewall Rules (
)
- Delete a Firewall Rule (
)
- Export (
) one or more Firewall Rules to an XML or CSV file. (Either export them all by clicking the Export button, or choose from the list to export only those that are selected or displayed)
- Add/Remove Columns (
) columns can be added or removed by clicking Add/Remove Columns. The order in which the columns are displayed can be controlled by dragging them into their new position. Listed items can be sorted and searched by the contents of any column.
Clicking New () or Properties (
) displays the Firewall Rules Properties window.
Firewall Rule Properties
General Information
- Name: The name of the Firewall Rule.
- Description: A detailed description of the Firewall Rule.
- Action: Your Firewall Rule can behave in four different ways. These are described here in order of precedence:
- The traffic can bypass the firewall completely. This is a special rule that can cause the packets to bypass the Firewall and Intrusion Prevention engine entirely. Use this setting for media intensive protocols where filtering may not be desired. To find out more about the bypass rule, see "Bypass Rule" in the Reference section.
- It can log only. This means it will only make an entry in the logs and not interfere with the traffic.
- It can force allow defined traffic (it will allow traffic defined by this rule without excluding any other traffic.)
- It can deny traffic (it will deny traffic defined by this rule.)
- It can allow traffic (it will exclusively allow traffic defined by this rule.)
If you have no Allow rules in effect on a computer, all traffic is permitted unless it is specifically blocked by a Deny rule. Once you create a single Allow rule, all other traffic is blocked unless it meets the requirements of the Allow rule. There is one exception to this: ICMPv6 traffic is always permitted unless it is specifically blocked by a Deny rule.
Only one rule action is applied to any particular packet, and rules (of the same priority) are applied in the order listed above. - Priority: If you have selected "force allow", "deny", or "log only" as your rule action, you can set a priority here of 0 (low) to 4 (highest). Setting a priority allows you to combine the actions of rules to achieve a cascading rule effect. Log only rules can only have a priority of 4, and Allow rules can only have a priority of 0.
The priority determines the order in which rules are applied. High priority rules get applied before low priority rules. For example, a port 80 incoming deny rule with a priority of 3 will drop a packet before a port 80 incoming force allow rule with a priority of 2 ever gets applied to it.
- Packet Direction: Select whether this rule will be applied to incoming or outgoing traffic.
- Frame Type: Select a frame type. Use the Not checkbox to specify whether you will be filtering for this frame type or anything but this frame type.
You can exclusively select IPv4 or IPv6. To specify either (both), select IP.For a list of frame types, see the Internet Assigned Numbers Authority (IANA) Web site.
- Protocol: Select or specify the protocol your rule will be looking for. Use the checkbox to specify whether you will be filtering for this protocol or anything but this protocol.
You can choose from the drop down list of predefined common protocols, or you can select "Other" and enter the protocol code yourself (a three digit decimal value from 0 to 255).
Packet Source
The following options apply to the packet header's source information:
- IP: Specify an IP address, a masked IP address, an IP range, or select an IP list from one you defined in the IP Lists page.
- MAC: Specify a MAC address or select a MAC list from one you defined in the MAC Lists page.
- Port: You can specify a comma-separated list of port numbers or a dash-separated port range in the port(s) option as well as just a single port (e.g., 80, 443, 1-100) or select a Port list from one you defined in the Port Lists page.
Packet Destination
The following options apply to the packet header's destination information:
- IP: Specify an IP address, a masked IP address, an IP range, or select an IP list from one you defined in the IP Lists page.
- MAC: Specify a MAC address or select a MAC list from one you defined in the MAC Lists page.
- Port: You can specify a comma separated list of ports or a dash separated port range in the port(s) option as well as just a single port (e.g., 80, 443, 1-100) or select a Port list from one you defined in the Port Lists page.
Specific Flags
If you have selected TCP, ICMP, or TCP+UDP as your protocol in the General Information section above, you can direct your Firewall Rule to watch for specific flags.
Events
Select whether to enable or disable logging Events because of this Rule. If event logging is enabled, you can record the packet data with the Event.
Alert
Select whether or not this Firewall Rule should trigger an Alert when it is triggered. If you only wish this rule to be active during specific periods, assign a schedule from the list.
Schedule
Select whether the Firewall Rule should only be active during a scheduled time.

Context
Rule Contexts are a powerful way of implementing different security policies depending on the computer's network environment. You will most often use Contexts to create Policies which apply different Firewall and Intrusion Prevention Rules to computers (usually mobile laptops) depending on whether that computer is in or away from the office.
Contexts are designed to be associated with Firewall and Intrusion Prevention Rules. If the conditions defined in the Context associated with a Rule are met, the Rule is applied.
To determine a computer's location, Contexts examine the nature of the computer's connection to its domain controller. For more information on Contexts, see Policies > Common Objects > Other > Contexts.
Assigned To
This tab displays a list of Policies which include this Firewall Rule as well as any computers to which this Firewall Rule has been assigned directly. Firewall Rules can be assigned to Policies in the Policies page and to computers in the Computers page.