Firewall & Security¶
RansNet devices include a stateful firewall, web content filtering, and integrated logging — providing perimeter security, access control, and visibility at every site without requiring separate appliances. Security policies are managed centrally through mfusion and pushed to devices, so a consistent posture can be enforced across the entire fleet.
All security configuration is accessible under Device Settings → Security in the mfusion management interface, or via the CLI on each device.
Security Capabilities¶
Stateful Firewall¶
The firewall inspects traffic by connection state and enforces rules across three policy chains:
- Input — Traffic destined to the device itself (management access such as GUI, SSH, RADIUS).
- Access — Traffic passing through the device between zones/interfaces (the main forwarding policy).
- SNAT/DNAT — Source and destination NAT for outbound masquerading and inbound port forwarding.
Rules are evaluated in order by policy ID, with named objects and reusable templates to keep large rule sets manageable.
Web Filtering¶
DNS-based web content filtering blocks access to malicious, inappropriate, or policy-violating domains. This protects users from phishing and malware and helps enforce acceptable-use policies on guest and corporate networks alike.
Logging and Flow Collection¶
Devices can forward firewall logs and NetFlow records to a collector for retention, audit, and analysis — supporting security investigation, compliance reporting, and dispute resolution.
In This Section¶
| Topic | Description |
|---|---|
| Firewall Overview | Firewall architecture — input, access, and NAT policy chains and how rules are evaluated |
| Firewall Policies | Creating and ordering permit/deny rules across the policy chains |
| Firewall Objects | Reusable address, service, and group objects referenced by rules |
| Firewall Templates | Standardized rule sets pushed to many devices for a consistent posture |
| Web Filtering | DNS-based content filtering to block malicious or policy-violating domains |
| Log Collector | Centralized collection and retention of device security logs |
| NetFlow Collector | Collecting NetFlow records for traffic analysis and security investigation |
Best Practices¶
- Never expose management services to WAN — Keep GUI and SSH access restricted to LAN or the management interface.
- Default-deny on forwarding — Permit only the traffic each network actually needs across the access chain.
- Use objects and templates — Reference reusable objects and apply templates so policy changes propagate consistently across the fleet.
- Device hardening — For comprehensive hardening beyond firewall rules, see Device Hardening.