Understanding Firewall Rules and Zones / "Internet IPv4" and "Internet IPv6" equivalent


I have problems understanding the role of "Zones" within the Firewall rules. For example, if I want to address traffic comming from a server that belongs to the LAN zone (IP address is within the LAN zone), do I have to specify the LAN-zone within the firewall rule or can I ignore this (Zone = any) and include  the server within "Source networks and devices"?

And to address only traffic going from internal networks to Internet, how can I do this?

Lets say, I have internal mail servers and want to route outgoing SMTP traffic through a specific interface (eg. #Port5) instead of default WAN interface? Compared to UTM there was an object called "Internet IPv4" and "Internet IPv6", is there something similar within XG?

Regards, Christian

  • If you take a look at the zones, Internetv4 (UTM) would be Zone WAN. So XG is considering everything going to WAN (Connected to the WAN Interface, hence reachable via Default Gateway) as WAN Zone Traffic.

    That will take place for everything, where you can actually configure something with Zones (Like Firewall).

    In Case of NAT, you can define Ports as Outbound Matching Criteria (V18).

    In Case of SD-WAN Policy Based Routing (V18), you can use ANY for WAN Traffic and "Tweak" a little bit. The Online Help for SD-WAN PBR is helpful for this cases. 


    In V17.5 you would use the Firewall (Business Application Rule). In V18, a Mix of SD-WAN PBR and NAT. 

  • In reply to LuCar Toni:

    Sorry, I should have mentioned that I am on V18, so I have to use SD-WAN for gateway level routing. My problem understanding the firewall rules is that I don't know, how ("Source zones" + "Source networks and devices") and ("Destination zones" + "Destination networks") is combined: is it

    • "Source zones" _AND_ "Source networks and devices"
    • "Source zones" OR "Source networks and devices"

    Lets practically say, I want to route HTTP/HTTPS traffic from the LAN zone to the WAN zone through #Port5, making sure, that I can access internal HTTPS servers from LAN -> LAN and HTTPS servers on brancho offices that are connected through IPSec connections. Putting all my public IPv4 in the WAN zone troubles me when using SSL VPN (why: see below):

    I currently have a firewall rule in place that says

    • Source zone = LAN; Source Networks = <my internal IPv4 networks (2x)>
    • Destination zone = (I created a different zone for my #Port5)-Zone; Destination Networks = Any
    • Services = HTTP; HTTPS

    and a SD WAN policy:

    • Incomming Interface: #Port1 
    • Source Networks: <my internal IPv4 networks (2x)>
    • Destination Networks: Any
    • Services: HTTP; HTTPS
    • Routing (primary): <gateway for #Port5>
    • Routing (secondary): <none>
    • Override gateway monitoring decision: yes

    This works, beside the fact, that I cannot access HTTPS servers on branch side that are connected through IPSec. I can ping them but not access them through HTTPS.

    What I am doing wrong?

    And I found it to be a non working configuration, putting all my public IPv4 into the WAN zone because XG puts too much services on all of them. This is why I started to put certain Ports into separate zones. I want to use each of my public IPv4 with specific services. Lets say IPv4-#1 is only for SSL VPN, IPv4-#2 is for inbound and outbound E-Mail routing and POP3/IMAP and such stuff.

    Now, when I put them all into WAN zone and I create a user config for SSL VPN, it contains all interface IPs (not Alias) from the WAN zone, even if they are non routable (private IPv4)! The non routabel IPv4 addresses came from a second WAN connection that we use for outbound "user generated" HTTP/HTTPS traffic like surfing the web, webradio, Youtube ... This sits behind a FritzBox and is within the 192.168.178/24 network. If the XG interface connected to the FritzBox is within the WAN zone, I get a SSL VPN user config that contains the dialin IPv4 (from the 192.168.178/24 network) from this XG-interface.

  • In reply to cwoller:

    Hopefully this image makes it easier to understand my question: I want to go from <LAN IPv4 Net#1> or <LAN IPv4 Net#2> to WAN#2 when using any webrelated traffic but want to be able to access my HTTPS server on the branch side aswell. My current situation is this:

    • Net#1 -> WAN#2 for HTTP/HTTPS works
    • Net#1 -> Net#3 (branch) for HTTPS-Server does not work (time out), the HTTPS server is pingable!


    • Net#2 -> WAN#2 for HTTP/HTTPS works
    • Net#2 -> Net#3 (branch) for HTTPS-Server does not work (time out), the HTTPS server is pingable!

    My concern is that my Net#1 and Net#2 traffic for the HTTPS server on Net#3 (branch side) gets routet through SDWAN policy...

  • In reply to cwoller:

    I understand your Problem, that for i posted my hint about the online help in my initial post. The Online help should help solve your situation.

    I am pointing out to the online help as make sure, we are not missing a part information, which could be crucial.

    Please refer to the online help, read the part about SD-WAN Routing and try to solve this issue. If the Online help misses something, or is not clear, i would like to help you solving this.

  • In reply to LuCar Toni:

    @LuCar Toni: Thank you for pointing me on the online-help, twice :-)

    In my case changing the Route precedence from

    • static, sdwan_policyroute, vpn
    • static, vpn, sdwan_policyroute

    saved my day and my internal HTTPS servers are accessable again.