Defining Firewall Servers

In the Servers page you can see a list of servers defined in your system. You can create, edit, delete or search for server objects. Server objects are network objects that are defined with their access and NAT (if applicable) policies.

New server objects are created using a wizard:

• Step 1 - Select the server type.

• Step 2 - Define the server's details.

• Step 3 - Set up the server's access policy properties.

• Step 4 - NAT configuration (if relevant)

After you create a server, one or more corresponding rules are automatically generated and added to the Access Policy automatically and shown in the Access Policy > Firewall Policy page. The comment in the rule shows the object name. You can click the object name link in the comment to open the Access tab in the Server Properties.

An easier way to define server objects is by detecting them in the Home > Active Devices page and saving them as servers. For example, this option automatically detects the MAC address of the server making configuration easier.

During the wizard:

• Click Cancel to quit the wizard.

• Click Next to move to the next page of the wizard.

• Click Back to go to an earlier page of the wizard.

• Click Finish to complete the wizard.

To create a new object:

Click New. The New Server Wizard opens and shows Step1: Server Type.

Step 1: Server Type

1. Select the server type. There are built-in types for common servers. You can manually define a server that listens to any configured ports and you can also change a common server type's ports.

2. When selecting built-in types, you can optionally click Edit to edit the protocol ports.

3. When you select Other Server:

   • Select the Protocol (TCP, UDP, or both).

   • Enter the TCP/UDP Ports (enter port numbers and/or port ranges separated by commas, for example, 1,3,5-8,15).

Step 2: Server Definitions

1. Enter a Name, IP address, and Comments (optional).

2. Select the options that apply to the server. For more information see Users & Objects > Network Objects.

   • Allow DNS server to resolve this object name - When the gateway is the DNS server for your internal networks the name of the server/network object will be translated to its IP address if this option is selected.

   • Exclude from DHCP service - The internal DHCP service will not distribute the configured IP address of this server/network object to anyone.

     • Reserve IP address in DHCP service for MAC - The internal DHCP service will distribute the configured IP address only to this server/network object according to its MAC address.

     • Enter the MAC address - This is required for IP reservation. When you create the object from the Active Devices page, the MAC address is detected automatically.

Step 3: Access

1. Select the zones from which the server is accessible:

   • All zones (including the Internet) - Select this option to create a server that anyone from outside the organization can access. This option requires configuring how the server is accessible through NAT (in the next step).

   • Only trusted zones (my organization) - Select the applicable checkboxes. You can override these settings by adding manual access rules.

     • LAN - Physical internal networks.

     • Remote Access VPN users - Users that connect from their homes/mobile devices to the office.

     • Secure wireless networks - Password protected networks, not including guest networks.

     • DMZ - The network physically connected to the DMZ port when it is not used for a secondary Internet connection.

       Note - DMZ is not supported in 1530 / 1550 appliances.

     • Remote VPN sites - Networks defined behind gateways to remote VPN sites.

2. If you do not want the server to be accessible to pings, clear the Allow access to server in the ICMP (ping) checkbox.

3. Select the logging policy of traffic to the server:

   • Log blocked connections

   • Log accepted connections

Step 4: NAT (when server is accessible from the Internet)

Select the relevant option:

• The server's configured IP address (x.x.x.x) is public - This option is only relevant if the Hide internal networks behind the Gateway's external IP address checkbox in the Access Policy > NAT Control page is cleared (see above for details). It means there are no NAT rules on the server.

When you complete the wizard, the server is added to the list of servers on the page and the automatically generated access rules are added to the Access Policy > Firewall Policy Rule Base.

Note - This page is available from the Firewall and NAT sections on the Access Policy tab.