Firewall Settings

Applies To: Wi-Fi Cloud-managed Access Points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420)

A firewall controls incoming (wired to wireless) and outgoing (wireless to wired) network traffic for wired-side hosts based on a set of defined rules.

The Firewall feature is intended to control access to or from wired-side hosts.

The firewall rules defined for the SSID are evaluated in a top down order. The first rule is evaluated first, followed by the next rule until a match is found for the respective host name and direction. You can click a rule and move it to a different location to reorder the rules.

When you create a SSID, the default rule is set to block all incoming and outgoing requests from any host or domain. Define the default rule by selecting Allow or Block to allow or block any type of requests from IP addresses, host names, subdomain names, or domain names for which no specific firewall rules have been defined.

To configure Firewall rules in an SSID, see Configure SSID Settings.

To add a firewall rule for an SSID, configure these options for each rule:

Field	Description
Rule Name	Name of the rule.
Host	Domain name, sub domain name, host name, subnet, or IP address to which the rule applies. You can provide a comma-separated list of more than one host names here. For example, 192.168.8.173, www.facebook.com, 192.168.121.0/24.
Port	Port number. You can provide a comma-separated list of port numbers or port ranges here. For example, 20-22, 80, 443.
Action	If you want to block the traffic to or from the host, select Block If you want to allow traffic to or from the host, select Allow.
Protocol	Network protocol. These options are available: TCP: If the rule is for TCP-based communication, select the TCP option. UDP: If the rule is for UDP-based communication, select the UDP option. Other: If the rule is for a communication based on a protocol other than TCP and UDP, select Other. You must specify the protocol number. Any: If the rule is for communication that is not protocol specific, select the Any option.
Protocol No.	Protocol number. This field appears only when the selected protocol is Other.
Direction	Direction of network traffic. These options are available: Outgoing: If the rule is to be applied to data going out of your network from the wireless to wired network, select the Outgoing option. Incoming: If the rule is to be applied to data coming into your network from the wired to wireless network, select the Incoming option. Any: If the rule is to be applied to both outgoing and incoming traffic, select the Any option. For example, if you want to allow or prevent users of your wireless network from accessing certain websites or domains, you can define the respective rule and define the direction as Outgoing. Similarly, if you want prevent certain hosts from accessing your wireless network, you can define the rule specific to this host name or domain name and define the direction as Incoming.

For example, to allow all incoming and outgoing TCP requests from and to the host mail.google.com, ports 80, 25, 110, 465, 995, specify the Host Name as mail.google.com, Port as 80, 25,110, 465, 995, Action as Allow, Protocol as TCP, Direction as Any.

© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.