Page 116 / 133
Scroll up to view Page 111 - 115
116
2.
Make sure the http-outbound service exists and is using the HTTP ALG,
Firewall->Services
:
Find the
http-outbound
service in the list and click
Edit
. If there is no service with
that name you will have to create one by clicking
Add new
at the bottom of the list.
TCP / UDP Service
should be selected and protocol should be set to
TCP
.
Set destination port to
80
.
Select
HTTP/HTML Content Filtering
in the ALG dropdown.
Click
Apply
3.
Now add a policy rule that uses this service,
Firewall->Policy
:
Click
LAN->WAN
Click
Add new
Page 117 / 133
4.
Edit the new policy we just created
Name the rule
allow_http
Enter position
2
Select action
Allow
Select service
http-outbound
Select schedule
Always
Click
Apply
Page 118 / 133
118
The new policy should now be added to position two in the list (if not, it can be
moved to the right position by clicking on the up and down arrows).
5.
Click
Activate
and wait for the firewall to restart.
Page 119 / 133
Intrusion detection and prevention
Intrusion detection and prevention can be enabled for both policies and port mappings. In
this example we are using a port mapping. The policy setup is quite similar.
In this example a mail server with IP 192.168.2.4 and a web server with IP 192.168.2.5 is
connected to the DMZ interface on the firewall.
To set up intrusion detection and prevention to a web server on the DMZ net, follow these
steps:
1.
Create a Port mapping for the web server,
Firewall->Port Mapping
:
Under
Configured mappings
, click
Add new
Page 120 / 133
120
2.
Set up the newly created port mapping:
Name the rule
map_www
Select service
http-in-all
Enter pass to IP:
192.168.2.5
(the IP of the web server)
Check the
Intrusion detection / prevention
option
Select mode
Prevention
Enable email alerting by checking the
Alerting
box
Click
Apply
19216811.live