The Dynamic page provides information on dynamic processes within the firewall ruleset. During normal operation, three main things happen dynamically: the counting of protected IPs, redirection, and dynamic rule activation. To access the Dynamic page, click the FIREWALL tab and select the Dynamic icon in the service bar.
The Dynamic page arranges information into the following tabs.
- Dynamic Rules
- Protected IPs
- Dynamic Services
- Redirect Availability
- Bridging ARPs
The Dynamic Rules tab provides information on the use of dynamic rules and hostname network objects. For more information, see Hostname (DNS Resolvable) Network Objects.
In the upper section of the tab, data regarding the use of dynamic rules are arranged in the following columns:
- Rule – Icon representing the rule status (inactive - cross; active - green square) and the name of the dynamic rule. This column also displays the username, when set.
- Status – The current state of the rule (Disabled - inactive; Enabled - active).
- Expires – Time remaining until the current state expires.
- Expire Action – Action taken as soon as the dynamic activation expires.
In the lower section of the tab, data regarding hostname network objects are arranged in the following columns:
Index – Iterative ID of the network object. The index number is determined by the combination of Max. DNS Entries value and the percentage distribution of DNS queries allowed for network objects in use by the local and forwarding firewall rulesets. Index numbers start with 0 for network objects used by the forwarding firewall. The initial index number for network objects used in the local firewall is 75% of the Max. DNS Entries value - that is, 384 with the default of 512 Max. DNS Entries configured. For more information, see General Firewall Configuration.
Managed firewalls inherit global, cluster, and range hostname objects. These objects are automatically added to the memory space of the forwarding firewall ruleset.
- DNS Name – The DNS-resolvable hostname configured in the network object.
- Status – The current state of the network object. The following states are available: New, Pending, Resolved.
- Addresses – The result of the DSN query.
- Last Update – Time that has passed since the currently active DNS entry was last retrieved by the firewall.
- Lifetime – Lifetime that is configured in the network object.
To manually update the DNS resolution of currently used network objects, select one or multiple list entries, then right-click and click Refresh selected DNS entries in the context menu.
The Protected IPs tab provides information on the number of active IP addresses (so-called protected IP addresses) for virtual appliances. Virtual firewall licenses are classified by the number of protected IP addresses. Verify that the actual number of protected IP addresses does not exceed the licensed number of protected IP addresses for your Vx model.
The following columns are available:
- ID – Icon representing the protected IP status and an iterative ID number.
- Status – Status of each protected IP address (licensed or obsolete).
- Last – Time expired since the IP address was last counted.
- Address – Address of the protected IP address.
- App Detect – Windows Application Detection.
Every hour, the list of protected IP addresses is checked to verify that the IP addresses are still in use, and if inactive, marked as obsolete. Every 30 minutes, obsolete IP addresses are removed from the list of protected IP addresses. Since these two tasks are not synchronized, protected IP addresses might be considered active for as long as 90 minutes after the last active connection.
The Dynamic Services tab provides information on protected IP addresses and is used in conjunction with ONCRPC. For more information, see: Firewall Plugin Modules.
The following columns are available:
Used Address – IP address of the service used.
Proto – The protocol.
Port – Port of the service used.
- Service Name – Name of the service used.
- Service Desc – Service description, if entered.
- Target Address – Target IP address of the service.
- Expires – The expiration date.
- Used – Information on usage.
- Updated – Update information.
- Source Address – The source IP address.
- Source Mask – The source netmask.
The firewall monitors the destination IP addresses used for Dst NAT access rules. Depending on the availability and redirection policy (cycle or fallback), the firewall decides which destination IP address the traffic is forwarded to. The state of the destination IP addresses per rule is displayed using the following columns:
- Rule – Name of the rule.
- Address – The target address.
- Used – Number of connection requests redirected to the target address.
- Unreachable Since – Time since the target has been unavailable.
- Last Retry – Time since last retry.
- Count Retry – Number of retries since the target was marked unavailable.
- Bad Port – Unreachable port. Important when the rule is sensitive on more than one critical port.
The Bridging ARPs tab provides information on connections that have been established over bridging interfaces (see: Bridging).
- MAC – The MAC address of the external interface that has established a connection to the bridging interface.
- Interface – The bridging interface through which the connection has been established.
- Group – The name of the bridged interface group the interface belongs to.
- IPs – The IP addresses recorded here belong to the MAC address displayed in the first column.
- Type – The IP addresses bound to a MAC address are dynamic if they have been learned dynamically through proxy ARPing. The type is static if the MAC/IP combination documented through the other columns has been configured statically through the parameter Static Bridge MAC.
- Timer – The connection timer.
Right-clicking a selected entry makes the following actions available in a context menu:
- Remove Selected MACs – Deletes the selected MAC address(es) from the list.
- Remove IPs from Selected MAC – Deletes IP addresses from a specific MAC that have been saved during a bridged connection establishment, without removing the MAC address itself from the list.