Forward Proxy Policies

Objective

This guide provides instructions on how to create a forward proxy policy using the guided wizards in VoltConsole. The forward policies applied when the Volterra gateway is used in transit.

Using the instructions provided in this document, you can create forward proxy policies with policy rules controlling the traffic to secure your network.


Prerequisites


Configuration

The following video shows the forward policy creation:


Create Forward Proxy Policy

Log into VoltConsole and perform the following:

Step 1: Navigate to network policy configuration and start creating a policy.
  • Select Security -> Firewall -> Forward Proxy Policies in the System namespace.
  • Click Add forward proxy policy. Set a name in the Metadata section.
Step 2: Configure proxy.
  • For the Select Forward Proxy option,you can select between:

    • All proxies on site - All the proxies configured
    • Network Connector - Specific Network Connector
    • Network Connector Label Selector - Label that selects Network Connector

prxs
Figure: Endpoint selection - IPv4 Prefix List and the prefix

Step 3: Configure policy rules.

For the Select Policy Rules option, you can select between:

Allow all connections

This option allows all traffic.

Allowed connections - connections to allow, everything else is denied.

Configure the connections as per the following guidelines:

  • TLS Domains - Click Configure and Add item. Select an option from the drop-down list of the Enter Domain field and set a HTTPS domain in the displayed option. You can specify the exact domain name or a suffix or specify regular expression to match domains. Click Apply.
  • HTTP URLs - Click Configure and Add item. Select an option from the drop-down list of the Enter Domain field and set a HTTP URL in the displayed option. You can specify the exact domain name or a suffix or specify regular expression to match HTTP URLs. Click Apply.
Denied connections - connections to deny, everything else will be allowed.

Configure the connections as per the following guidelines:

  • TLS Domains - Click Configure and Add item. Select an option from the drop-down list of the Enter Domain field and set a HTTPS domain in the displayed option. You can specify the exact domain name or a suffix or specify regular expression to match domains. Click Apply.
  • HTTP URLs - Click Configure and Add item. Select an option from the drop-down list of the Enter Domain field and set a HTTP URL in the displayed option. You can specify the exact domain name or a suffix or specify regular expression to match HTTP URLs. Click Apply.
Custom rule list - List of custom rules.

Click Configure and configure the custom rules as per the following guidelines:

  • Click Add item and enter a name in the Rule Name field.
  • Select allow or deny option for the Action field.
  • Select an option for the Select Source connections field as per the following guidelines:

    • Select All Source to apply the rule to all source endpoints.
    • Select IPv4 Prefix List to specify IPv4 prefixes and enter the prefixes in the IPv4 Prefix List field. You can use Add item to add more than one list.
    • Select Source Label Selector and enter a label in the Selector Expression field. The key-value combination of the label determines the source end points.
    • Select IP Prefix Set to specify a prefix set and select the prefix set from the drop-down list for the IP Prefix Set field. You can also create a new prefix set using the Create new ip prefix set option in the drop-down list.
  • Select an option for the Destination Choice field as per the following guidelines:

    • Select All Destinations to apply the rule to all destination endpoints.
    • Select TLS Domains to specify the HTTPS domains to which the rule applies. Click Configure and Add item. Select an option from the drop-down list of the Enter Domain field and set a HTTPS domain in the displayed option. You can specify the exact domain name or a suffix or specify regular expression to match domains. Click Apply.
    • Select HTTP URLs to specify the HTTP URLs to which the rule applies. Click Configure and Add item. Select an option from the drop-down list of the Enter Domain field and set a URL in the displayed option. You can specify the exact URL or a suffix or specify regular expression to match URL. Click Apply.
  • Click Apply to apply the custom rule list to the forward proxy policy configuration.

Note: You can add more rules using the Add item option.

This example shows denied connections.

pol rules
Figure: Policy Rules Configuration

tls doms
Figure: TLS Domains for Deny Connections

Step 4: Complete forward proxy policy creation.

Click Save and Exit. Verify that the forward proxy policy gets displayed on the Security-> Firewall -> Forward Proxy Policy view.

Step 5: Attach the policy to network firewall.

After creating the forward proxy policy, you can attach it to the network firewall.

  • Select Security -> Firewall -> Network Firewall in the System namespace.
  • Click ... -> Edit for your firewall from the displayed list.
  • Go to Forward Proxy Policy Configuration section and select Active Forward Proxy Policies in the Select Forward Proxy Policy Configuration field.
  • Select the created forward proxy policy from the drop-down list for the Forward Proxy Policy field.

Note: You can add multiple policies using the Add item option.

Step 6: Verify the forward proxy policy operation.
  • Select Security -> Firewall -> Forward Proxy Policy in the System namespace.
  • Check the Hits field for the displayed list of forward proxy policies. This indicates how many times network policy is applied to the traffic.

pol hits
Figure: Policy Hits

  • Click on the value of Hits to display the which rules are applied and how many times they are applied.

Note: You can obtain the policy or rule hits over a specific time interval using the time interval selector option.


Concepts


API References