UTM Firewall - How to implement an allow list?

Edit:  Changed my post, I have to read your post more to see what you are doing, lol.  I'll edit again when I see what you are doing here.  ;)  At first glance 9-10, 10 appears to just cancel 9 out with your Any rule.  Stay away from Any, and use your assigned networks (External, Internal, etc.).

You said something about 1-4 but I only see one list of 5-10 on that picture.  Is there another picture you didn't provide for 1-4?

Thanks for the reply, and update! 

Sorry, I assumed they were well know rules as they were automatic.  Here they are...

I was using Any to represent the internet.  Is that not right?

The logic was - if your external IP does not match one in help-site-allow and your destined for the Help Site network, then you drop through to rule 10 and get dropped, otherwise you pass through, and rule 10 is not reached.

Is there any clear documentation on how this is supposed to work?

I should clarify use of 'Any' because you can use it more than once in a rule where you shouldn't.

The rules that were created automatically shouldn't have 'Any' as the 'Source Network', by default, that should have been your Internal Network. The ones that you are showing above (shown above - 1 through 4) are NAT rules - generated when you create a NAT rule, this is fine how they are.

Now if this were a User-created firewall rule (not NAT) (Some security clean up here):

Rule 6: I wouldn't have it that way.

An example:  'Any' ----------->(NTP)-------------->Any. 

That first 'Any' is a 'Source', and should not be like that.  By doing that, you have opened TCP port 123 to the world essentially. If you are hosting NTP for your own internal network, Then it should show as:

'Internal (Network)' -------->NTP--------> Any

Also be sure to include just your Internal Network (and/or any applicable secure networks) under NTP:

The middle (NTP) which is the 'Services' should also NOT have 'Any' as a rule.  This really leaving your UTM to bypass all service ports, and not secure.  So using Any---->Any----->Any you might as well just turn off the UTM and connect everything right to the modem.  

Leaving the last 'Any' is fine, as that is your 'Destination' and is created that way by default. 

Rule 9:  I would specify the port that help-site-allow is supposed to use if it's a specialty type port (not a commonly used rule), and if so, create a new service to accommodate, then replace 'Any' with that new service.

Rule 10:  It appears to me to cancel out 9, because they are set up essentially the same way, but you have one rule allowing it and another rule basically drop or reject the same rule.  Rule 9 tells traffic to pass through on any port to your destination (this is bad), and rule 10 says take anything and drop/reject it.

And finally, to clarify my original post before I edited it:  I thought at first you were trying to whitelist a website for users, in which case I would simply use the Filtering in Web Protection. This appears to be hosting traffic for internal users?

I should clarify use of 'Any' because you can use it more than once in a rule where you shouldn't.

The rules that were created automatically shouldn't have 'Any' as the 'Source Network', by default, that should have been your Internal Network. The ones that you are showing above (shown above - 1 through 4) are NAT rules - generated when you create a NAT rule, this is fine how they are.

Now if this were a User-created firewall rule (not NAT) (Some security clean up here):

Rule 6: I wouldn't have it that way.

An example:  'Any' ----------->(NTP)-------------->Any. 

That first 'Any' is a 'Source', and should not be like that.  By doing that, you have opened TCP port 123 to the world essentially. If you are hosting NTP for your own internal network, Then it should show as:

'Internal (Network)' -------->NTP--------> Any

Also be sure to include just your Internal Network (and/or any applicable secure networks) under NTP:

The middle (NTP) which is the 'Services' should also NOT have 'Any' as a rule.  This really leaving your UTM to bypass all service ports, and not secure.  So using Any---->Any----->Any you might as well just turn off the UTM and connect everything right to the modem.  

Leaving the last 'Any' is fine, as that is your 'Destination' and is created that way by default. 

Rule 9:  I would specify the port that help-site-allow is supposed to use if it's a specialty type port (not a commonly used rule), and if so, create a new service to accommodate, then replace 'Any' with that new service.

Rule 10:  It appears to me to cancel out 9, because they are set up essentially the same way, but you have one rule allowing it and another rule basically drop or reject the same rule.  Rule 9 tells traffic to pass through on any port to your destination (this is bad), and rule 10 says take anything and drop/reject it.

And finally, to clarify my original post before I edited it:  I thought at first you were trying to whitelist a website for users, in which case I would simply use the Filtering in Web Protection. This appears to be hosting traffic for internal users?

Really appreciate your insights on this setup.  We'll have to review the impacts of making the changes you suggest.

Any idea about the source of the automatically created rules?  I've just assumed they appeared when the product was first installed but you're implying not.

Moving right down to the last question - yes, the intent was to whitelist a website for users.  So appears we're not even using the right functionality?! :P 

Looking at Webserver Protection options, the filtering functionality doesn't look appropriate either...

But the WAF functionality and access control appears to be the one we're after...

Would you think replacing "Any" with my help-site-allow definition of allowed IPs will do the job?  Or more complicated? My suggestion assumes an implicit deny is enforced as a result of just configuring Allowed.

Martin Rowe1 said:

Any idea about the source of the automatically created rules?  I've just assumed they appeared when the product was first installed but you're implying not.

Yes, as I addressed - when you create a NAT rule, those rules (1 through 4 in your screenshot) are automatically created once you create a NAT rule, so those should be fine to leave as is.  I really wanted to stress the user-created rules that have the 'Any' rule (the ones I broke down).  You can see the NAT rules that have been created under Network Protection:

When you are using 'Any' as a 'Source Network' in the user-created rules (not the NAT rules! - leave those), you are opening your firewall up to have 'Any' traffic from 'Any' Source Network.  We don't like that, we like it to come from known networks, such as 'Internal' network.  If your rules 9 and 10 were set up to gain access to a website, those are incorrect rules.  Your Rule 8 has the HTTP/HTTPS ports (80/443) for web traffic, but that doesn't mean that every website is available, just internet traffic on port 80 and 443 - the ports we need to get to the internet.  Rule 8 also appears to only be allowing traffic from a specific group.  Only users and computers who are part of that group can access HTTP/S traffic (grants-management-subnet-2a).  By default when that rule is created, it is 'Internal' Network.

The Webserver Protection piece is if you are hosting a site or sites, and you want your traffic filtered and protected traveling through the UTM.  So, if you were hosting your own site, Webserver Protection is what you would use.

If you want to just whitelist websites that you visit without them being blocked, that is not what you would want to use.  You would want to be in the Web Protection section.  There are a couple of ways you can do this.  My method is to use Filtering Option Exception list, because downloading of files is what I run into the most.  

These are some of the ones created by the default installation.  I created a new exception list for my 'Safe Downloading' sites.

I apply the the options for 'Skip these checks' as needed, and add the domain at the bottom, then save it.  My setup allows me to download some files, because the UTM by default doesn't allow .exe and other extensions to be downloaded.  I only put my trusted sites in this list.  So if I wanted to visit nvidia.com to get a driver download, I would add 'nvidia.com' at the bottom under 'Target Domains' and apply any checks to skip, then save.  Once that is saved, I should be able to download the file I need (they provide their drivers with a .exe).

The other method is using the whitelist option for sites, the same place where you blacklist sites.  So if you are just trying to visit a website, and you are being blocked by your UTM, you can add it under the Allow field.  I also recommend you check out the Categories as well to make sure you aren't blocking site categories you don't intend to block.

My Web Filtering on the Global tab is set at Transparent Mode, but the Base Policy is where I can control sites.  I block the Windows telemetry here as you can see 'Windows 10'.  That is a list of about 50 sites that block telemetry sent back to MS, but doesn't interfere with updates. 

There is also a list of sites that I use to block ads (which does a really good job) and the Youtube blocking is still a work in progress.  I can't seem to block those quite yet unless I'm blocking them at the client with a browser extension that isn't UTM related.

Hope this helps.