Network Firewall

Objective

This guide provides instructions on how to create a Network Firewall using the guided wizards in VoltConsole. For more information on Volterra site, see Volterra Site.

A Network Firewall is comprised of three elements:

  1. A Forward Proxy Policy - L7 Policies applied when the Volterra gateway is used in transit
  2. A Network Policy - L3-4 Policies applied to traffic ingressing, egressing or originated on the Volterra Gateway
  3. Fast ACL - Set of rules to protect your Volterra Gateway

Using the instructions provided in this guide, you will be able to create a Network firewall, with all its elements, and apply to your site or fleet of sites.


Prerequisites


Configuration

The following video shows the Network Firewall creation and applying to your fleet of gateways:

Configuration Sequence

Configuring application firewall requires performing the following sequence of actions:

Phase Description
Create a Network Firewall Create a network firewall with policies and fast ACLs that define the network rules.
Apply Network Firewall on Fleet Apply the network firewall to the fleet to protect the sites that are part of the fleet.

Note: Creation of network policy set, forward proxy policy set, or the fast ACL set is optional. However, it is recommended to protect your network by creating atleast one of the sets.


Create Network Firewall

Perform the following to create the network firewall with the network policy set, service policy set, and fast ACL set:

Step 1: Log into the VoltConsole and start Network Firewall object creation. Select Security from the configuration menu in the system namespace. Select Firewall -> Network Firewall from the options. Click Add network firewall.

image11
Figure: Add Network Firewall

Step 2: Configure Forward Proxy Policies.

Go to Forward Proxy Policy section and perform the following:

Step 2.1: Select and create Forward Proxy Policies.

  • Select a forward Policy Configuration in the drop-down menu.

image6
Figure: Forward Policy Configuration

  • Select Create a new Forward Proxy Policy from the new submenu Forward Proxy Policies and configure a new Policy as per the following guidelines:

    • For the Select Forward Proxy option,you can select between:

      • All proxies on site - All the proxies configured
      • Network Connector - Specific Network Connector
      • Network Connector Label Selector - Label that selects Network Connector

image8
Figure: Proxies on Site Selection

  • For the Select Policy Rules option, you can select between:

    • Allow all connections - Allows all traffic
    • Allowed connections - connections to allow, everything else is denied
    • Denied connections - connections to deny, everything else will be allowed
    • Custom rule list - List of custom rules

image3
Figure: Selecting Denied Connections on the Policy Rules menu

  • Configure TLS Domains or HTTP URLs (or both) in the designated sections, to select the domains to comply with the rule you defined before.

Step 3: Configure Network Policies.

Go to Network Policy Configuration section and perform the following:

Step 3.1: Select and create Network Policies.

  • Select a Network Policy Configuration in the drop-down menu.

image2
Figure: Network Policy Configuration

  • Select Create a new Network Policy from the new submenu Select network Policy and configure a new Policy as per the following guidelines:
  • For the Select Endpoint option, you can select between:

    • IP Prefix List
    • Any Endpoints
    • Endpoints reachable via all Outside Interfaces
    • Endpoints reachable via all Inside Interfaces
    • Label Selector - a Label that identifies an Endpoint

image1
Figure: Endpoint selection - IPv4 Prefix List and the prefix

  • Configure Ingress Rules or Egress Rules (or both) to define the direction in which you want to apply your policies.

image7
Figure: Ingress and Egress rules configurations

Note: When you create an active network policy, an implicit DENY ALL rule is inserted at the end. So if you are selecting traffic to DENY and you want everything else to be allowed, ensure to create, at the end of your policies, one last policy which allows ALL traffic.


Apply Network Firewall on Fleet

When your network firewall is configured, you will need to apply it on your fleet so that the sites on that fleet are configured with the network firewall defined.

Perform the following to apply the Network Firewall to the fleet:

  • Navigate to Manage -> Site Management -> Fleet option.
  • Find your Fleet and click ... -> Edit.

Step 1: Select the system namespace. Select Manage from the configuration menu and select Site Management from the options pane. Select Fleets.

image10
Figure: Fleet Edit

Step 2: On the fleet object, scroll to the bottom to find Network Firewall. Click select network firewall object.

image5
Figure: Network Firewall Selection

Step 3: Select the Network Firewall you just created and apply to your fleet

image4
Figure: Network Firewall Selected

Step 4: Click Save and Exit.

image9
Figure: Save Changes to Fleet


Concepts


API References