When setting up a new AR series NGFW, a common oversight is not creating an entity (zone) specifically for the device's WAN interface, and not permitting certain outbound services to originate from the devices WAN IP. This is needed in order to properly configure the firewall rules to facilitate remote management access (telnet, ssh, HTTPS, WinSCP), as well as other management-related features such as Update Manager and subscription services (i.e. Kapersky). Simply configuring a rule to, for example, "permit ssh from WAN to LAN" will not work.
Below is a sample configuration of the minimal elements with comments that will provide the basic ideas.
CONFIGURATION | COMMENTS |
| |
zone WAN | configure a zone for external/public traffic |
network Internet | |
ip subnet 0.0.0.0/0 interface eth1 | |
| |
ip route 0.0.0.0/0 eth1 | set the interface as the default gateway |
| |
zone Router | configure a zone, network & host that is specific to the NGFW WAN IP |
network Public | |
ip subnet [WAN IP subnet] interface eth1 | |
host interface | |
ip address [assigned public IP] | |
| |
ip name-server [DNS server IP] | enable DNS host resolution |
ip domain-lookup | |
| |
rule [xxx] permit https from Router.Public.interface to WAN | permit https traffic outbound from the NGFW |
rule [xxx] permit dns from Router.Public.interface to WAN | permit outbound DNS queries from the NGFW |
rule [xxx] permit [telnet or ssh] from WAN to Router.Public.interface | permit inbound remote access to CLI |
rule [xxx] permit http from Router.Public.interface to WAN | needed when using Web Control subscription service |
rule [xxx] permit undecided from Router.Public.interface to WAN | needed when using Application Control subscription service |