MBR L13

–

User’s

Guide

56

3.7.1.10

Advanced Filtering

Advanced filtering is designed to allow comprehensive control over the firewall's behavior. You can define specific

input and output rules, control the order of logically similar sets of rules, and make a distinction between rules that

apply to WAN and LAN devices.

To view the L13 advanced filtering options, click the

Advanced Filtering

link of the

Firewall

menu item under the

Services

tab. The

Advanced Filtering

screen appears.

Figure 78: Advanced Filtering

3.7.1.10.1

Input and Output Rule Sets

The first two sections of the

Advanced Filtering

screen

—

'Input Rule Sets'

and

‘Output Rule Sets',

are designed for

configuring inbound and outbound traffic respectively. Each section is comprised of subsets which can be grouped

into three main subjects:



Initial rules

–

rules defined here will be applied first, on all gateway devices



Network device rules

–

rules can be defined for each gateway device



Final rules

–

rules defined here will be applied last, on all gateway devices

The order of the rules

appearance represents both the order in which they were defined and the sequence by which

they will be applied. You may change this order after your rules are defined (without having to delete and then re-add

them), by using the

and

action icons.

Figure 79: Move Up and Move Down Action Icons

There are numerous rules that are automatically inserted by the firewall in order to provide improved security and

block harmful attacks.



To an advanced filtering rule:

1.

Choose the traffic direction and the device on which to set the rule.

2.

Click the appropriate

New Entry

link. The

Add Advanced Filter

screen appears.

MBR L13

–

User’s

Guide

57

Figure 80: Add Advanced Filter

The

Matching

and

Operation

sections of this screen define the operation to be executed when matching

conditions apply.

3.

Use the

Matching Section

to define characteristics of the packets matching the rule.

Source Address

The source address of packets sent or received by the L13. The drop-down menu provides

the ability to specify the computer or group of computers on which you would like to apply the rule. Select an

address or a name from the list to apply the rule on the corresponding host, or

click

Any

to apply the rule on

all L13 LAN hosts.

Destination Address

The destination address of packets sent or received by L13. This address can be

configured in the same manner as the source address. This entry enables further filtration of the packets.

Protocol

You may also specify a traffic protocol. Selecting the Show All Services option from the drop-down

menu expands the list of available protocols. Select a protocol or add a new one using the User Defined

option. This will initiate a sequence that will add a new Service representing the protocol.

Using a protocol requires observing the relationship between a client and a server in order to distinguish

between the source and destination ports. For example, let's assume you have an FTP server in your LAN,

serving clients inquiring from the WAN. You want to apply a QoS rule on incoming packets from any port on

the WAN (clients) trying to access FTP port 21 (your server) and the same for outgoing packets from port 21

trying to access any port on the WAN.

4.

Y

ou must set the following Traffic Priority rules in the

Operation Section

:

Figure 81:

Restricted Website

Operation Section options:

MBR L13

–

User’s

Guide

58

Drop

Deny access to packets that match the source and destination IP

addresses and service ports defined above.

Reject

Deny access to packets that match the criteria defined and send

an ICMP error or a TCP reset to the origination peer.

Accept Connection

Allow access to packets that match the criteria defined. The data

transfer session will be handled using Stateful Packet Inspection

(SPI), meaning that other packets matching this rule will be

automatically allowed access.

Accept Packet

Allow access to packets that match the criteria defined. The data

transfer session will not be handled using SPI, meaning that other

packets matching this rule will not be automatically allowed

access. This can be useful, for example, when creating rules that

allow broadcasting.

5.

Click

OK

to save the settings.

6.

Define a QoS output rule in the same way as the input rule.

7.

Logging

section helps you to monitor the rule.

Log Packets Matched by This Rule -

Select this check box to log the first packet from a connection that was

matched by this rule.

8.

By default, the rule will always be active. However, you can configure scheduler rules by selecting

User

Defined

to define time segments during which the rule may be active. Once a scheduler rule(s) is defined, the

Schedule

drop-down menu will allow you to choose between the available rules.

MBR L13

–

User’s

Guide

59

3.7.2

Quality of Service

Quality of Service refers to the capability of a network device to provide better service to a selected network traffic.

This is achieved by shaping the traffic and processing higher priority traffic before lower priority traffic.

The Broadband Connection to the Internet is typically the most significant bottleneck of the network. This is where the

high speed LAN (100 Mbps) meets limited broadband bandwidth of few Mbps. Special QoS mechanisms must be built

into routers to ensure that this sudden drop in connectivity speed is taken into account when prioritizing and

transmitting real-time service-related data packets.

Figure 82: End-to-end QoS Challenge Areas

3.7.2.1

General

The

General

screen provides a Quality of Service "wizard" with which you can configure your QoS parameters

according to predefined profiles and in just a few clicks. A chosen QoS profile will automatically define QoS rules,

which you can view and edit in the rest of the QoS tab screens, described later.

Note

:

Selecting a QoS profile will cause all previous QoS configuration settings to be permanently lost.

Click the QoS tab under

Services

. The

Overview

screen appears.

MBR L13

–

User’s

Guide

60

Figure 83: Overview

WAN Devices Bandwidth (Rx/Tx)

Before selecting the QoS profile that most suits your needs, select your bandwidth

from this drop-down menu. If you do not see an appropriate entry, select

User Defined

, and enter your Tx and Rx

bandwidths manually.

Tx Bandwidth

This parameter defines the gateway

’

s outbound transmission rate

.

Enter your Tx bandwidth in Kbits per

second.

Rx Bandwidth

This parameter defines the gateways

’

Internet traffic reception rate. Enter your Rx bandwidth in Kbits

per second.

Note

:

Entering inaccurate Tx/Rx values will cause incorrect behavior of the QoS module. It is important to set these

fields as accurately as possible.

QoS Profiles

. Select the profile that most suits your bandwidth usage. Every profile entry displays a quote describing

what the profile is best used for and the QoS priority levels granted to each bandwidth consumer in this profile.

Default

No QoS profile, however the device is limited by the requested

bandwidth, if specified.

P2P User

Peer-to-peer and file sharing applications will receive priority.

Triple Play User

VoIP and video streaming will receive priority.

Home Worker

VPN and browsing will receive priority.