Skip to main content
Versa Networks

Configure SD-WAN IP-Filtering Profiles

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Traffic passing through the network may have IP addresses that are associated with a bad reputation and can cause security risk to your network. You can configure IP address filtering profiles that block these IP addresses based their reputation and geographic location. Versa Networks provides an IP reputation feed that is updated both daily and in real time, and predefined IP reputations that you can use in IP-filtering profiles.

When you configure an IP-filtering profile, you define match criteria to filter traffic based on IP reputation and IP address metadata (that is, geolocation). You also define the actions to enforce when a session's IP address matches the conditions in the IP-filtering profile. The IP-filtering profile can then be used for security access policy enforcement.   

This article describes how to configure an IP-filtering profile. 

Configure an IP-Filtering Profile

  1. In Tenant view, select Configure > Secure SD-WAN > Security > Profiles.

    security-profiles-1.png
  2. Select the IP Filtering tab.
    • If you have not yet configured an IP-filtering profile, click Add IP Filtering Profile. 
    • If you have configured one or more IP-filtering profiles, the following screen displays. Click the + icon. 

      ip-filtering-prof.png

      The workflow to add an IP-filtering profile displays.

      ip-filter-flow.png
  3. In step 1, Deny & Allow List, you can specify the IP addresses and groups to allow and to deny (block) and the actions to enforce. Note that if the traffic matches both a deny list and an allow list, the action in the deny list takes precedence.
    1. To specify the IP addresses and groups to deny, select the Deny List tab, and then enter information for the following fields.

      ip-filter-2.png

       
      Field Description

      Security Action

      Select the action to enforce when the IP-filtering profile encounters an IP address or address group that is on the deny list:

      • Alert—Allow the IP address, and generate an entry in the IP-filtering log.
      • Allow—Allow the IP address, and do not generate an entry in the IP-filtering log.
      • Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK (for HTTP and HTTPS).
      • Block—Block the IP address and generate an entry in the IP-filtering log. No response page is displayed, and the user cannot continue with the website.
      • Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
      • Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
      • Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK (for HTTP and HTTPS).
      • Reject—Send an ICMP unreachable message back to the client and reset the connection to the server.
      • + Create New—Click to create a new Security Action object. See the Add a Security Action section in Configure Reusable Objects.

      Address Group

      Select the address groups for which to enforce the action.

      • + Add Address Group—Click to create a new Address Group object. See the Add an Address Group section in Configure Reusable Objects.
      IP Address (Group of Fields) Click to specify IP addresses for which to enforce the action. 
      • IPv4/IPv6 Subnet
      		 Enter a list of IPv4 or IPv6 subnets.
      • IP Range
      		 Enter a list of IP address ranges.
      • IP Wildcard
      		 Enter a list of IP address wildcard values.

      Specify the Match Criteria for IP Address

      Select the match criteria for the IP address:

      • Match only source IP address
      • Match only destination IP address
      • Match source or destination IP address
      • Match source and destination IP address
    2. To specify the IP addresses and groups to allow, select the Allow List tab, and then enter information for the following fields.

      ip-filter-3.png
       
      Field Description

      Address Group

      		 Select the address groups to allow.
      • + Add Address Group—Click to create a new Address Group object. See the Add an Address Group section in Configure Reusable Objects.
      IP Address (Group of Fields) Click to specify IP addresses to allow.
      • IPv4/IPv6 Subnet
      		 Enter a list of IPv4 or IPv6 subnet values.
      • IP Range
      		 Enter a list of IP address range values.
      • IP Wildcard
      		 Enter a list of IP address wildcard values.

      Specify the Match Criteria for IP Address

      Select the match criteria for the IP address:

      • Match only source IP address.
      • Match only destination IP address.
      • Match source or destination IP address.
      • Match source and destination IP address.
      Logging Enabled/Disabled Enable this option if you want to log the allowed listed IP address.
  4. Click Next to go to step 2, Geo IP-Based Actions.
  5. To add actions for IP filtering based on geographic location, click Add Geo Location, and then enter information for the following fields.

    geo-location-add.png

     
    Field Description

    Location Name

    		 Enter a name for the geographic region that you want to define for the profile.
    Security Action

    Select the action to enforce on matching IP addresses or address groups:

    • Alert—Allow the IP address, and generate an entry in the IP-filtering log.
    • Allow—Allow the IP address, and do not generate an entry in the IP-filtering log.
    • Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK (for HTTP and HTTPS).
    • Block—Block the IP address and generate an entry in the IP-filtering log. No response page is displayed, and the user cannot continue with the website.
    • Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK (for HTTP and HTTPS).
    • Reject—Send an ICMP unreachable message back to the client and reset the connection to the server.
    • + Create New—Click to create a new Security Action object. See the Security Actions section in Configure Reusable Objects.
    Specify the Match Criteria for IP Address

    Select the match criteria for the IP address:

    • Match only source IP address.
    • Match only destination IP address.
    • Match source or destination IP address.
    • Match source and destination IP address.
    Select Country Select one or more countries to specify the geographic region.
    • Negate Selection
    		 Click to exclude selected countries. 
  6. Click Add.
  7. Click Next to go to step 3, Reputation-Based Actions.
  8. To add actions for IP-filtering based on reputation, click Add Reputation, and then enter information for the following fields.

    reputation-add.png
     
    Field Description

    Reputation Name (Required)

    		 Enter a name for the reputation that you want to define for the profile.
    Action

    Select the action to enforce on matching IP addresses or address groups:

    • Alert—Allow the IP address, and generate an entry in the IP-filtering log.
    • Allow—Allow the IP address, and do not generate an entry in the IP-filtering log.
    • Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK (for HTTP and HTTPS).
    • Block—Block the IP address and generate an entry in the IP-filtering log. No response page is displayed, and the user cannot continue with the website.
    • Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK (for HTTP and HTTPS).
    • Reject—Send an ICMP unreachable message back to the client and reset the connection to the server.
    • + Create New—Click to create a new Security Action object. See the Security Actions section in Configure Reusable Objects.
    Specify the Match Criteria for IP Address

    Select the match criteria for the IP address:

    • Match only source IP address.
    • Match only destination IP address.
    • Match source or destination IP address.
    • Match source and destination IP address.
    Select one or more reputations

    Select one or more reputations:

    • Botnets
    • Cloud providers
    • Denial of service
    • Mobile threats
    • Network
    • Phishing
    • Proxy
    • Reputation
    • Scanners
    • Spam sources
    • TOR proxy
    • Web attacks
    • Windows exploits
  9. Click Add.
  10. Click Next to go to step 4, Address Reverse Lookup.
  11. Address reverse lookup performs a reverse lookup of an IP tuple (source IP address and destination IP address). You can apply a URL-filtering profile on the reverse lookup domain and use this in conjunction with host reputation-based actions for non-HTTP or non-HTTPS traffic (for example, FTP traffic).

    To configure an address reverse lookup, enter information for the following fields.

    address-reverse-lookup.png

     
    Field Description
    URL Filtering Profile Select the URL-filtering profile to associate with IP address reverse lookup. For more information, see Configure Custom URL-Filtering Profiles.
    Specify the match criteria for the IP address

    Select the address type on which to perform a reverse lookup:

    • Match only source IP address.
    • Match only destination IP address.
    • Match source and destination IP address.
  12. Click Next to go to step 5, Enforcement,
  13. Select the default action to perform when there are no matching criteria. Otherwise, you can choose which default action to enforce if there are no criteria matched.

    enforcement.png
     
    Field Description
    Security Action

    Select the default action to perform when there are no matching criteria:

    • Alert—Allow the IP address, and generate an entry in the IP-filtering log.
    • Allow—Allow the IP address, and do not generate an entry in the IP-filtering log.
    • Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK (for HTTP and HTTPS).
    • Block—Block the IP address and generate an entry in the IP-filtering log. No response page is displayed, and the user cannot continue with the website.
    • Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK (for HTTP and HTTPS).
    • Reject—Send an ICMP unreachable message back to the client and reset the connection to the server.
    • + Create New—Click to create a new Security Action object. See the Security Actions section in Configure Reusable Objects.
    Prioritize URL Reputation Click to prioritize the URL reputation over the IP reputation. Instead of blocking the traffic in IP-filtering based on reputation, traffic is further evaluated with URL-filtering. URL reputation correlates with an actual website. When you configure an IP-filtering profile that blocks traffic based on IP reputation, some legitimate websites may be blocked. When the URL reputation meets the threshold you select in the URL Reputation Priority field, prioritizing URL reputation overrides the IP Reputation Action.
  14. Click Next to go to step 6, Permissions.
  15. The permission for each role is selected by default, and you can update it. To change permissions for a role, select or deselect the Create, Read, Update, and Delete fields for the role.

    permissions.png
  16. Click Next to go to step 7, Review and Submit.
  17. Enter a name for the IP-filtering profile. You can also enter a description and tags. A tag is an alphanumeric descriptor, with no white spaces or special characters, that you can use to search the objects.

    review-submit-enable-logging.png
     
  18. To enable logging, click the Enable Logging toggle, and then select a logging profile that indicates where to forward the logs. 
    • Use Default—Click to use the default logging profile.
    • Custom—Click to use a custom logging profile, and then select a profile in the drop-down list. To create a custom profile, select + Create New. See the Logging Profiles section in Configure Reusable Objects.

      logging-enabled.png
  19. For all other sections, review the information. If you need to make changes, click the edit-icon-blue-on-white.png Edit icon.
  20. Click Submit to create the IP-filtering profile.

Supported Software Information

Releases 13.1.1 and later support all content described in this article.