Firewall Settings

Applies To: Wi-Fi Cloud-managed Access Points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420)

A firewall controls incoming (wired to wireless) and outgoing (wireless to wired) network traffic for wired-side hosts based on a set of defined rules.

The Firewall feature is intended to control access to or from wired-side hosts.

The firewall rules defined for the SSID are evaluated in a top down order. The first rule is evaluated first, followed by the next rule until a match is found for the respective host name and direction. You can click a rule and move it to a different location to reorder the rules.

When you create a SSID, the default rule is set to block all incoming and outgoing requests from any host or domain. Define the default rule by selecting Allow or Block to allow or block any type of requests from IP addresses, host names, subdomain names, or domain names for which no specific firewall rules have been defined.

To configure Firewall rules in an SSID, see Configure SSID Settings.

To add a firewall rule for an SSID, configure these options for each rule:



Rule Name

Name of the rule.


Domain name, sub domain name, host name, subnet, or IP address to which the rule applies.
You can provide a comma-separated list of more than one host names here. For example,,,


Port number. You can provide a comma-separated list of port numbers or port ranges here. For example, 20-22, 80, 443.


If you want to block the traffic to or from the host, select Block If you want to allow traffic to or from the host, select Allow.


Network protocol. These options are available:

  • TCP: If the rule is for TCP-based communication, select the TCP option.
  • UDP: If the rule is for UDP-based communication, select the UDP option.
  • Other: If the rule is for a communication based on a protocol other than TCP and UDP, select Other. You must specify the protocol number.
  • Any: If the rule is for communication that is not protocol specific, select the Any option.

Protocol No.

Protocol number. This field appears only when the selected protocol is Other.


Direction of network traffic. These options are available:

  • Outgoing: If the rule is to be applied to data going out of your network from the wireless to wired network, select the Outgoing option.
  • Incoming: If the rule is to be applied to data coming into your network from the wired to wireless network, select the Incoming option.
  • Any:  If the rule is to be applied to both outgoing and incoming traffic, select the Any option.

For example, if you want to allow or prevent users of your wireless network from accessing certain websites or domains, you can define the respective rule and define the direction as Outgoing. Similarly, if you want prevent certain hosts from accessing your wireless network, you can define the rule specific to this host name or domain name and define the direction as Incoming.

For example, to allow all incoming and outgoing TCP requests from and to the host, ports 80, 25, 110, 465, 995, specify the Host Name as, Port as 80, 25,110, 465, 995, Action as Allow, Protocol as TCP, Direction as Any.