As with previous policy definitions, NAT should also be enabled if the protected local hosts have
private IPv4 addresses. The ICMP messages will then be sent out from the Clavister Next
Generation Firewall with the IP address of the interface connected to the ISP as the source
interface. Responding hosts will send back ICMP responses to this single IP and cOS Core will
then forward the response to the correct private IPv4 address.
Adding a Drop All Policy
The top-down nature of IP rule set scanning has been mentioned earlier. If no matching entry is
found for a new connection then the
default rule
is triggered. This rule is hidden and cannot be
changed. Its action is to drop all such traffic and always generate a log message for each dropped
connection.
In order to gain control over the logging of dropped traffic, it is recommended to create a drop
all policy as the last entry in the
main
IP rule set. This policy will have the source and destination
network set to
all-nets
and the source and destination interface set to
any
. The service should be
set to
all_services
in order to capture all types of traffic.
Logging is enabled by default for an IP rule set entry which means that a log message will be
sent to all configured log servers whenever the entry triggers. Only log events that have a
specified severity or above will be sent. The administrator can choose the minimum severity for
log messages in each IP rule set entry, as shown below.
Chapter 4: cOS Core Configuration
54
Summary of Contents for NetWall W20A
Page 12: ... i Orange when cOS Core is running normally Chapter 1 W20B Product Overview 12 ...
Page 14: ...Chapter 1 W20B Product Overview 14 ...
Page 31: ...Chapter 3 W20B Installation 31 ...
Page 70: ...Chapter 4 cOS Core Configuration 70 ...
Page 80: ...Appendix B Declarations of Conformity 80 ...