HSA firewall concept is the same as CMG/HSG, except the configuration syntax are different, and HSA uses GUI but CMG/HSG uses CLI. Refer to this section for mbox firewall concept.
Go to "network --> firewall" to configure HSA firewall settings.
4.1 General setting. This section defines if traffic should be permitted or denied to pass through HSA (similar to CMG firewall-access rules), and this is based on zone setting, eg. all traffic passing between interfaces. This is a quick way to define access policies. To define more granular settings, eg. to restrict access policies for specific source/destination/applications etc, please use "Traffic Rules".
To add new rules, under this section, scroll to the bottom, click on "Add". Give a intuitive name to the policy and tick on the respective network/interface that this policy is covering. Note "Masquerading" is typically required for WAN zone only and is usually configured by default.
Scroll down further to "Inter-Zone Forwarding" to define allowed traffic source zone and permitted destination zone. Similarly, anything not permitted in firewall rules are denied by default. So in here, we just need to defined what are the traffic that needs to be permitted.
Click on "Save & Apply" after changes.
4.2 Port forward. This section configures policies to allow outside users to access internal servers using a specific port, eg. CCTV cameras or email servers etc. It is similar to CMG "firewall-dnat" command. Just follow the GUI hints to configure it.
4.3 Traffic rules. Traffic rules allow granular control for packets coming in/out for traveling through mbox. Unlike basic zoning permission (zone to zone permit/deny), from here you can specify up to source/destination IP addresses, protocols, port no. etc. There're some default rules that permit basic common accesses (eg. DHCP, ping etc), you can modify them and add new rules.
"open ports on router", this option permits management access to the HSG, similar to "firewall-input" rules on CMG.
"New forward rules", this option is similar to inter-zoning passing through rules (as in 4.1 General setting), but it allows more granular control, by specifying source/destination/protocol/ports etc. It's similar to "firewall-access" in CMG.