Exploring the Potential of Rules in an NGFW: Protect Your Infrastructure Like an Expert

Exploring the Potential of Rules in an NGFW: Protect Your Infrastructure Like an Expert

Cybersecurity is not a luxury, it is a necessity. In a world where threats are constantly evolving, having advanced tools such as Next-Generation Firewalls (NGFWs) has become a cornerstone for protecting digital infrastructure. I have faced the need to propose strategies for configuring rules according to the needs of various architectures and solutions, even without knowing all the possible options. What to do in these scenarios? The answer lies in understanding and mastering rule configuration options. This guide I’ve prepared will take you by the hand to set up effective rules in an NGFW and determine if this tool is what your company needs.

NGFWs are the evolution of  traditional firewalls. Not only do they analyze traffic based on ports and IP addresses, but they have advanced capabilities such as deep packet inspection (DPI), application detection, and real-time threat prevention.

Why are they important? 

Because modern threats require modern responses. NGFWs allow:

  • Identify specific applications, even if they are disguised in standard ports.
  • Inspect content encrypted with SSL/TLS.
  • Integrate with threat intelligence systems.
  • Protect against advanced attacks, such as malware and ransomware.

In short, they are essential for companies looking to protect sensitive data and ensure operational continuity from attacks.

Rules That Transform Your NGFW Into a Fortress

Here’s an exhaustive list of the types of rules you can create:

1. Rules based on IP addresses

  • Allow or deny traffic between specific IP ranges.
  • Control traffic to or from specific subnets.
  • Block access to malicious or suspicious IP addresses.

Objective:

Allow traffic from an internal subnet (192.168.1.0/24) to the Internet, but block access from a specific IP (192.168.1.100).

Configuration:

Allow traffic from the subnet:
configure firewall policy
Set srcaddr "192.168.1.0/24"
Set Dstaddr "All"
Set Action "Accept"
Commit

Block specific IP:
configure firewall policy
Set srcaddr "192.168.1.100"
Set Dstaddr "All"
Action Set "Deny"

2. Port-Based Rules and Protocols

  • Control traffic of specific protocols (TCP, UDP, ICMP, etc.).
  • Open or close specific ports for services such as HTTP (80), HTTPS (443), SSH (22), FTP (21), etc.

Objective:

Allow HTTPS (TCP 443) traffic from any network to an internal web server (192.168.1.10).

Configuration:

configure firewall policy
Set Srcaddr "All"
Set Dstaddr "192.168.1.10"
set service "TCP/443"
Set Action "Accept"
Commit

3. Enforcement rules

  • Allow or deny the use of specific applications (e.g., block social media, messaging, streaming).
  • Identify signature-based applications and allow selective access based on company policies.

Objective:

Block social media apps like Facebook and Twitter for the entire network except the marketing department.

Configuration:

Define the application to block:
create application "Facebook"
create application "Twitter"

Block access to apps:
configure application-policy
Set Srcaddr "All"
set application "Facebook"
set application "Twitter"
Action Set "Deny"
Commit

Allow exceptions:
configure application-policy
Set Srcaddr: "Marketing_Group"
set application "Facebook"
set application "Twitter"
Set Action "Accept"
Commit

4. Geolocation rules

  • Block or allow traffic based on countries or geographic regions.
  • Use IP databases to identify geographic locations.

Objective:

Block traffic from countries considered high-risk, such as Russia and North Korea.

Configuration:

Configure Geo-Policy
src-country set "Russia"
src-country set "North Korea"
Action Set "Deny"
Commit

5. User/Identity Rules

  • Integrate with other identity systems (LDAP, RADIUS, SAML) in addition to Active Directory.
  • Create rules based on individual users, roles, or groups that are not defined in AD.

Objective:

Allow access to internal servers only to users authenticated in an LDAP system.

Configuration:

Integrate LDAP:
Configure Authentication Server
set type "LDAP"
Set server-ip "192.168.100.10"
set base-dn "dc=example,dc=com"
Commit

Configure the access policy:
configure firewall policy
Set Srcaddr "All"
Set Dstaddr "192.168.1.0/24"
set auth-server "LDAP"
Set Action "Accept"
Commit

6. Time-Based Rules

  • Enforcing restrictions based on schedules (e.g., allowing access to certain services only during business hours).

Objective:

Allow Internet access only during business hours (Monday to Friday, 9:00-17:00).

Configuration:

Define the time range:
create schedule "Work_Hours"
Set start-time "09:00"
Set End-Time "17:00"
set days "Mon,Tue,Wed,Thu,Fri"
Commit

Apply the rule:
configure firewall policy
Set Srcaddr "All"
Set Dstaddr "All"
set schedule "Work_Hours"
Set Action "Accept"
Commit

7. Content Inspection Rules

  • Traffic inspection in search of malicious content (antivirus, anti-malware).
  • Block downloads of certain types of files (e.g., .exe or .zip files).
  • Detect specific keywords or patterns in traffic.

Objective:

Block downloads of executable (.exe) files from any source.

Configuration:

Set up content inspection:
create content-filter
Set file-type "exe"
Action Set "Block"
Commit

Assign the content rule to the policy:
configure firewall policy
Set Srcaddr "All"
Set Dstaddr "All"
set content-filter "block-exe"
Commit

8. URL filtering rules

  • Allow or block access to categories of websites (e.g., gaming, pornography, gambling).
  • Create whitelists or blacklists of specific URLs.

Objective:

Block categories such as games and betting, and allow only whitelisted sites for a specific group.

Configuration:

Set up blocked categories:
Configure URL-filter
set category "Games"
set category "Gambling"
Action Set "Deny"
Commit

Create a whitelist:
Configure URL-filter
Whitelist set "example.com"
Whitelist set "trustedsite.org"
Set Action "Accept"
Commit

9. Quality of Service (QoS) Rules

  • Prioritize certain types of traffic (e.g., VoIP over file downloads).
  • Limit bandwidth for certain applications or users.

Objective:

Prioritize VoIP traffic (SIP and RTP) over HTTP downloads.

Configuration:

Create QoS policies:
Configure QoS
set application "VoIP"
Priority "High" Set
Commit

Apply QoS to HTTP traffic:
Configure QoS
set application "HTTP"
Priority "Low" Set
Commit

10. SSL/TLS Inspection Rules

  • Decrypt HTTPS traffic for inspection and policy enforcement.
  • Block invalid or expired certificates.

Objective:

Decrypt HTTPS traffic for threat inspection.

Configuration:

Enable SSL Inspection:
configure ssl-decryption
Set Enable
Commit

Configure policies for inspection:
configure firewall policy
Set Srcaddr "All"
Set Dstaddr "All"
Set SSL-Decrypt "Enable"
Set Action "Accept"
Commit

11. Advanced Inspection Rules (IDS/IPS)

  • Detect and prevent intrusion attempts or attacks (e.g., DDoS, SQL Injection).
  • Deep packet inspection (DPI) to block malicious patterns.

Objective:

Detect and block brute force attacks.

Configuration:

Create Detection Policy:
Set up IPS
set profile "BruteForce"
Action Set "Block"
Commit

Assign policy to specific traffic:
configure firewall policy
Set Srcaddr "All"
Set Dstaddr "All"
set ips-profile "BruteForce"
Action Set "Deny"
Commit

12. Rules for access to specific services

  • Create trusted zones (DMZs) and restrict traffic to public services such as web servers.
  • Allow access only to specific services from external locations.

Objective:

Allow access to a mail server (SMTP, TCP 25) from the Internet only to one allowed IP.

Configuration:

configure firewall policy
Set SrcaDDR "203.0.113.1"
DStADDR set "192.168.1.50"
set service "TCP/25"
Set Action "Accept"
Commit

13. Device-Based Rules

  • Identify devices according to characteristics (operating system, device type).
  • Create specific rules for device types such as IoT cameras, printers, or mobile devices.

Objective:

Block access to suspicious IoT identified by device type (e.g., IP cameras).

Configuration:

Identify Device Type:
configure device-identification
set type "Camera"
Commit

Create rule to lock devices:
configure firewall policy
set device-type "Camera"
Action Set "Deny"
Commit

14. Rules of Behavior/Analysis

  • Detect and block anomalous behavior (for example, a host sending excessive traffic).
  • Integration with SIEM systems to apply automated responses.

Objective:

Block hosts that exhibit anomalous behavior (e.g., massive port scanning attempts).

Configuration:

Turn on behavior detection:
enable anomaly-detection
configure anomaly-profile "Scan_Detection"
set type "port-scan"
set threshold "100 connections/second"
Action Set "Block"
Commit

Assign the profile to a policy:
configure firewall policy
srcintf "LAN" set
dstintf "WAN" set
Anomaly-profile "Scan_Detection" set
Action Set "Deny"
Commit

15. Virtual Private Network (VPN) Rules

  • Control access to the corporate network for remote users based on specific policies.
  • Apply different rules for VPNs based on the user’s origin or profile.

Objective:

Allow access only to authorized employees through the VPN, denying all traffic to unauthenticated external users.

Configuration:

Define VPN user group:
create user-group "VPN_Users"
add user "user1"
add user "user2"
Commit

Create VPN access policy:
configure firewall policy
set srcintf "VPN"
DSTINTF "Internal_Network" set
Set Srcaddr "All"
Set Dstaddr "192.168.1.0/24"
Set user-group "VPN_Users"
Set Action "Accept"
Commit

16. Tagging Rules

  • Tag resources and apply dynamic tag-based policies.

Objective:

Apply dynamic tag-based policies to critical servers in a network.

Configuration:

Tag servers:
create tag "Critical_Servers"
assign tag "Critical_Servers" to object "Server_1"
assign tag "Critical_Servers" to object "Server_2"
Commit

Configure tag-based rule:
configure firewall policy
srcintf set "Internal"
dstintf "WAN" set
"Critical_Servers" tag set
Set Action "Accept"
Commit

17. Multicast and broadcast traffic rules

  • Control and restrict multicast traffic (for example, for video conferencing applications).
  • Limit unnecessary broadcast traffic.

Objective:

Restrict multicast traffic only for specific applications, such as video conferencing on VLAN 10.

Configuration:

Allow multicast traffic at a specific range:
configure multicast-policy
Set srcaddr "192.168.10.0/24"
Set Dstaddr "224.0.0.0/4"
Set service "video-conference"
Set Action "Accept"
Commit

Block unnecessary multicast traffic:
configure multicast-policy
Set Srcaddr "Any"
Set Dstaddr "224.0.0.0/4"
Action Set "Deny"
Commit

18. Network Segmentation Rules

  • Create micro-segmentation to separate sensitive environments (for example, separate production, test, and development environments).
  • Restrict lateral traffic between machines within the same network.

Objective:

Separate traffic between development (192.168.20.0/24) and production (192.168.10.0/24) networks.

Configuration:

Create network zones:
create zone "Development"
assign interface "vlan20" to zone "Development"
create zone "Production"
assign interface "vlan10" to zone "Production"
Commit

Set up cross-zone policy:
configure firewall policy
srczone "Development" set
dstzone "Production" set
Action Set "Deny"
Commit

19. Advanced Threat Mitigation Rules

  • Block connections to domains known as Command & Control (C2).
  • Real-time inspection against threat databases.

Objective:

Block connections to domains or command-and-control (C2) IPs.

Configuration:

Update Threat Database:
update threat-database
Commit

Configure policy to block traffic to C2:
configure firewall policy
srcintf "LAN" set
dstintf "WAN" set
threat-category set "C2"
Action Set "Deny"
Commit

20. Auditing and Monitoring Rules

  • Allow traffic only to audit or monitor it.
  • Log events for later analysis.

Objective:

Allow traffic only to be monitored and audited, without blocking.

Configuration:

Create monitoring policy:
configure firewall policy
srcintf "LAN" set
dstintf "WAN" set
Set logtraffic "all"
Set Action "Accept"
Commit

Export logs to a SIEM server:
Configure log settings
set server-ip "192.168.100.100"
set server-port "514"
Set Format "Syslog"
Commit

Should I Implement an NGFW in My Business?

This question depends on your needs and current infrastructure. Some clear signs that you need an NGFW include:

  1. Recurring threats: If you detect constant attempts at attacks such as malware or phishing.
  2. Accelerated growth: When the complexity of your network increases, especially with cloud applications.
  3. Exposure to sensitive data: Companies in sectors such as finance, health or retail require advanced protection.

If your current infrastructure relies on basic firewalls and you’re seeing increasing risks, an NGFW may be the investment that transforms your security.

Final Tips for Setting Up and Using an NGFW

  1. Assess your needs: Before setting up rules, analyze your network and the assets that need the most protection.
  2. Automate where possible: Many NGFW platforms have integration with automatic incident response (SOAR) systems.
  3. Update rules regularly: Threats evolve, and your settings need to be kept up to date.
  4. Test thoroughly: Perform attack simulations to verify the effectiveness of your rules.
  5. Empower your team: The best firewall in the world is useless if it’s not properly configured.

Thanks for reading me!!!

dariocaldera Avatar

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to receive each new topic in your email immediately.

By signing up, you agree to the our terms and our Privacy Policy agreement.