On This Page:
This guide provides instructions on how to create a Network Firewall using the guided wizards in VoltConsole. For more information on Volterra site, see Volterra Site.
A Network Firewall is comprised of three elements:
- A Forward Proxy Policy - L7 Policies applied when the Volterra gateway is used in transit
- A Network Policy - L3-4 Policies applied to traffic ingressing, egressing or originated on the Volterra Gateway
- Fast ACL - Set of rules to protect your Volterra Gateway
Using the instructions provided in this guide, you will be able to create a Network firewall, with all its elements, and apply to your site or fleet of sites.
Note: If you do not have an account, see Create a Volterra Account.
Note: For more information, see Site Management.
The following video shows the Network Firewall creation and applying to your fleet of gateways:
Configuring application firewall requires performing the following sequence of actions:
|Create a Network Firewall||Create a network firewall with policies and fast ACLs that define the network rules.|
|Apply Network Firewall on Fleet||Apply the network firewall to the fleet to protect the sites that are part of the fleet.|
Note: Creation of network policy set, forward proxy policy set, or the fast ACL set is optional. However, it is recommended to protect your network by creating atleast one of the sets.
Create Network Firewall
Perform the following to create the network firewall with the network policy set, service policy set, and fast ACL set:
Step 1: Log into the VoltConsole and start Network Firewall object creation.
Security from the configuration menu in the system namespace. Select
Network Firewall from the options. Click
Add network firewall.
Step 2: Configure Forward Proxy Policies.
Forward Proxy Policy section and perform the following:
Step 2.1: Select and create Forward Proxy Policies.
- Select a forward Policy Configuration in the drop-down menu.
Create a new Forward Proxy Policyfrom the new submenu
Forward Proxy Policiesand configure a new Policy as per the following guidelines:
Select Forward Proxyoption,you can select between:
- All proxies on site - All the proxies configured
- Network Connector - Specific Network Connector
- Network Connector Label Selector - Label that selects Network Connector
For the Select Policy Rules option, you can select between:
- Allow all connections - Allows all traffic
- Allowed connections - connections to allow, everything else is denied
- Denied connections - connections to deny, everything else will be allowed
- Custom rule list - List of custom rules
- Configure TLS Domains or HTTP URLs (or both) in the designated sections, to select the domains to comply with the rule you defined before.
Step 3: Configure Network Policies.
Network Policy Configuration section and perform the following:
Step 3.1: Select and create Network Policies.
- Select a Network Policy Configuration in the drop-down menu.
Create a new Network Policyfrom the new submenu
Select network Policyand configure a new Policy as per the following guidelines:
Select Endpointoption, you can select between:
- IP Prefix List
- Any Endpoints
- Endpoints reachable via all Outside Interfaces
- Endpoints reachable via all Inside Interfaces
- Label Selector - a Label that identifies an Endpoint
Egress Rules(or both) to define the direction in which you want to apply your policies.
Note: When you create an active network policy, an implicit
DENY ALLrule is inserted at the end. So if you are selecting traffic to DENY and you want everything else to be allowed, ensure to create, at the end of your policies, one last policy which allows ALL traffic.
Apply Network Firewall on Fleet
When your network firewall is configured, you will need to apply it on your fleet so that the sites on that fleet are configured with the network firewall defined.
Perform the following to apply the Network Firewall to the fleet:
- Navigate to
- Find your Fleet and click
Step 1: Select the
system namespace. Select
Manage from the configuration menu and select
Site Management from the options pane. Select
Step 2: On the fleet object, scroll to the bottom to find
select network firewall object.
Step 3: Select the Network Firewall you just created and apply to your fleet
Step 4: Click
Save and Exit.