The CloudGen Firewall is capable of controlling the network traffic at certain crucial layers in the OSI network model:
- Layer 7: The Application Layer. On this layer, users interact via the HMI (human machine interface) and applications access the network service.
- Layer 3: The Network Layer. Based on routing decisions, data travels through specific data paths on this layer.
- Layer 2: The Data Link layer. This layer defines the format of data on the network.
On the CloudGen Firewall, access rules control the basic flow of packets between source and destination. Whereas MAC and IP addresses are used to identify source and destination, the service port or the identification number of the protocol used refers to a specific data category at its lowest layer, i.e., port 80 for HTTP and port 443 for HTTPs. The firewall does not know on layer 2 which application the data is related to. Blocking traffic on layers 2 or 3 will therefore prevent any application that uses these protocols on layer 7 from successfully transmitting or receiving data.
Because an ever increasing number of applications use these two protocols (80, 443) on layer 7 for their own purpose, the variety of application-related data also continues to increase. In order to identify the traffic at layer 7 that directly interacts with the user, the CloudGen Firewall provides another type of rule that can directly control the data flow at this application layer. These rules are called application rules and can also be configured in the firewall service.
Application rules are similar to access rules, and they allow you to block the traffic of specific applications while allowing others to transmit data. By appropriately combining an access rule with an application rule, the firewall can be configured to handle traffic more specifically for a large number of different applications using the same network layer.
Up to firmware release 8.2, access rules at layers 2 and 3, and application rules at layer 7, had to be managed separately and combined when required. This could cause large rule setups to become increasingly hard to maintain due to the large number of combinations.
To ease handling, Policy Profiles now allows you to differentiate the large variety of data classes on layer 7 into predefined categories:
- SD-WAN – SD-WAN provides multipath VPN tunnels across all providers with redundant, reliable, and fail-safe network connections.
- Applications – Custom web applications.
- URL Filtering – Categories for blocking malicious URLs.
- Malware Protection – Protection against advanced malware, zero-day exploits, and targeted attacks not detected by the IPS.
- SSL Inspection – Decrypts inbound and outbound SSL and TLS connections.
- IPS – Monitors local and forwarding traffic to block suspicious traffic and avert possible network attacks.
- File Content – Real-time file content filtering for HTTP, HTTPS, FTP, SMTP, and SMTPS.
- User Agent – Controls access to a web-based resource based on the user agent string.
These default policy profiles contain predefined setups that already provide basic security without the need to reconfigure application rules from the bottom up. To increase security, you can define your own policy profiles. In this case, the profiles you create will be applied first, and if none of these application-related rules match, the default profiles will still provide basic security.
For more information on access rules, see Access Rules.
For more information on policy profiles, see Policy Profiles.
For more information on application rules, see Application Control and How to Create an Application Rule.
Application Rule Sets vs. Policy Profiles
As of firmware 8.3.1 and 9.0.0, Policy Profiles is part of the firmware. With the exception of a newly installed 9.0.0 firmware, where Policy Profiles is already pre-configured, you have the option to either continue using application rules like before or switch to Policy Profiles manually.
For more information on how to switch from application rules to Policy Profiles, see How to Switch from Application Rules to Policy Profiles.
For more information on how to switch from Policy Profiles to application rules, see How to Switch from Policy Profiles (back) to Application Rules.