A Deny access rule terminates matching network sessions by replying 'TCP-RST' for TCP requests, 'ICMP Port Unreachable' for UDP requests, or 'ICMP Denied by Filter' for other IP protocols. Because the remote host receives a reply, it knows that your system is up and running and protected by a firewall.
Create a Deny Access Rule
- Go to FIREWALL > Access Rules.
- Click Add Access Rule to create a new rule. The Add Access Rule window opens.
- Select Deny as the Action.
- Enter a Name for the rule. E.g.,
ExampleDenyRule
- Specify the following settings that must be matched by the traffic to be handled by the access rule, and click + after each entry:
- Source – The source addresses of the traffic.
- Network Services – Select a service object, or select Any for this rule to match for all services.
- Destination – The destination addresses of the traffic.
- (optional) Configure Advanced settings. For more information, see Advanced Access Rule Settings.
- Click Save.
- Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
Additional Matching Criteria
- Valid for Users – For more information, see User Objects.
- Apply only during this time – For more information, see Schedule Objects.
Returning a Block Page for HTTP Traffic
Block and Deny access rules can return a block page if the user was blocked using the HTTP protocol on port 80. All other protocols and ports covered by the access rule will be blocked at TCP SYN level.
- Go to FIREWALL > Access Rules.
- Edit a Block access rule. The Edit Access Rule window opens.
- Click the Advanced tab.
- In the Other section, set HTTP Block Page to Access Block Page or Quarantine Block Page.
- Click Save.
When a user is blocked by this access rule while using HTTP on port 80, the customizable Access Block Page is displayed. For more information, see How to Configure Custom Block Pages and Texts.