Skip to main content

Network Rules

Network rules allow network traffic to be blocked by inspecting its packet-level attributes, such as source IP addresses and networks.

This type of rule can be translated and synchronized to network-level protection devices, such as firewalls and intrusion prevention systems (IPS).

A Network rule is composed by multiple generic fields and it defines a set of actions.

The list of Network rules can be found on the page Protection - Network Rules.

Generic fields

FieldDescription
StatusIt indicates whether the rule is enabled or not, the user responsible for the last update and its timestamp.
IDThe UID of the rule (the first 8 characters for better readability) and, optionally, the description.
TargetThe target of the rule, that could be an IP address or an IP network.
PriorityIt indicates the execution priority. Lower values represents higher priority.
ExpirationIt represents the activation duration.

Actions

Actions define how Seer Box translates a Network Rule into a firewall rule. Each action specifies:

  • The target firewall where the rule should be applied. The firewall should already be configured on the Firewalls settings page (see Firewalls section for more info).
  • The firewall action to execute when conditions are met. The available actions depend on the firewall being used.

A Network Rule can define multiple actions to be translated into different firewalls simultaneously. This allows flexibility in enforcing security policies across various infrastructures.

Network rule management

Network Rule management is allowed to users in the admin group or to users belonging to a group having Handle network rules permission.

Create a Network rule

In addition to creating one or more rules from the alert detail page with the Advanced Protection function, custom rules can be created.

From Seer Box web interface

  1. Access the Protection - Network Rules page: in this section you can view the list of all created Network rules.

  2. To create a custom rule click on the Add rule button in the upper right corner of the page.

  3. A wizard will be displayed that will allow you to create a Network rule. For more details please see the Creation wizard section below.

  4. After entering the data it is possible to click on the Save rule button to confirm the creation.

The new Network rule will appear on the summary page.

Creation wizard

The creation wizard is structured in multiple steps.

1. Define the targets

You can choose the targets for the rule, which can be either IP addresses or IP networks.

Selecting multiple target values will create multiple rules.

2. Set the Actions

You can select multiple actions in order to synchronize the rule to firewalls, one for device.

You should configure at least one firewall to add an action.

3. Set the generic fields

You can add a short description to the rule to quickly identify why it was created, set its duration and its priority.

Edit a Network rule

When updating a rule, only certain fields can be modified. Specifically:

  • Generic fields (except for the Target)
  • Actions

When modifying the Generic fields of a Network Rule, the new values will always overwrite the existing ones.

When modifying the Actions of a Network rule, users can choose from three update options:

  1. Add rule actions: add one or more new actions to all selected rules.

    • If an action for the specified firewall does not already exist, it will be added.
    • If an action for the specified firewall already exists, it will remain unchanged.

  2. Replace rule actions: update one or more actions for all selected rules.

    • If an action for the specified firewall already exists, it will be overwritten with the new action.
    • If an action for the specified firewall does not exist, it will be added.

  3. Delete rule actions: remove one or more actions from all selected rules.

    • If an action for the specified firewall exists, it will be removed.
    • If an action for the specified firewall does not exist, no changes will be made.

From Seer Box web interface

  1. Access the Protection - Network Rules page: in this section you can view the list of all created Network rules.

  2. Select one or more rules to edit by clicking on the checkbox located at the left end of each item.

  3. As soon as at least one record is selected, the ... button with the three dots icon will be enabled in the upper right corner of the rules' list.

  4. Select the field to update and follow the instructions on the modal.

  5. Click on the Save button to confirm the changes.

Delete a Network rule

From Seer Box web interface

  1. Access the Protection - Network rules page: in this section you can view the list of all created Network rules.

  2. Select one or more rules to delete by clicking on the checkbox located at the left end of each item.

  3. As soon as at least one record is selected, the ... button with the three dots icon will be enabled in the upper right corner of the rules' list.

  4. Select the Delete rules option. It displays a modal confirming the operation. Click on the Confirm button to proceed.

Firewall synchronization

Whenever a Network rule is created, updated, or deleted, Seer Box automatically triggers a synchronization process to apply the changes to the configured firewalls (as defined in the rule's actions).

Synchronization results

The outcome of the syncrhonization process is displayed:

  • In the Actions column of the rule record
  • Within the Actions subtable, under the Sync status column, which provides a status update for each configured firewall.

Handling synchronization errors

If synchronization process fails:

  • The user should check the firewall configuration to ensure it is correctly set up.
  • After resolving the issue, the synchronization process cna be retried by clicking the Sync firewalls button in the upper-right corner of the Network rules page, under the ... button with the three dots icon.