24. Network & Policy » Whitelist Template¶
It contains a collection of rules created to prevent the blocking of critical traffic. When a filtering rule is matched by a whitelist rule, it won’t be applied to any firewall.
To add similar whitelist rules to multiple Filters, add them to a single Whitelist Template in Configuration » Network & Policy, and apply it to every Filter.
Whitelists were implemented because the software might block attack patterns that you don’t want to be blocked. Destination ports and destination IP addresses are blocked only in worst-case scenarios when no other attack pattern is found. In some cases though, it’s better to let potential malicious traffic enter the network in order to avoid blocking critical traffic.
Every whitelist rule contains the following metrics:
● Prefix – The anomaly IP address must be included in the prefix for the whitelist rule to be evaluated further. Generic whitelist rules have 0.0.0.0/0 as prefix
● Decoder – The decoder of the anomaly, or All to match all decoders
● Rule Type – Possible values: Source IP, Src Port TCP, Dst Port TCP, Src Port UDP, Dst Port UDP, Packet Length, IP TimeToLive, IP Protocol
● Operator – Operators for strings and numbers: equal, non-equal. Operators for numbers: less than, greater than. The operator equal can match IP Addresses in CIDR notation, port ranges written as <port_min>:<port_max>, and packet size ranges written as <pkt_size_min>:<pkt_size_max>
● Rule Value – A user-defined value
● FW Policy – When this parameter is Permit and Operator is equal, the Filter explicitly allows the matched traffic to pass through the Netfilter Firewall. Otherwise, a more generic filtering rule might take precedence over the whitelisted filtering rule
● Comments – An optional description of the whitelist rule
For example, if your DNS server is attacked by spoofed addresses on port 53 UDP, the software might block port 53 UDP traffic towards your DNS server, making it partially unreachable from the Internet. In this case, configure the whitelist rule: [Prefix = Your DNS Server, Decoder = ANY, Rule Type = Dst Port UDP, Operator = equal, Rule Value = 53] and review the settings from General Settings » Anomaly Mitigation.
Note
When a filtering rule cannot be applied because it conflicts with a whitelist rule, a small white flag icon appears next to it in Console reports.