Configure Network Firewall

Objective

This document provides instructions on how to create and apply a policy-based network firewall on a fleet. The network firewall consists of policies or access control lists that either allow or block traffic based on configuration. To know more, see Network Firewall.

Using the instructions provided in this document, you can create network firewall and apply it to a Volterra fleet of sites.


Prerequisites

  • VES account

    Note: If you do not have an account, see Create a VES Account.

  • One or more cloud or edge locations with Volterra Site

    Note: Install Volterra node or cluster image in your cloud or edge location. For more information, see Create a Site.

  • A Volterra fleet of sites

    Note: If you do not have an existing fleet, see Create a Fleet.


Configuration

The following image shows the configuration workflow for creating an application firewall:

seq nwf
Figure: Network Firewall Configuration Workflow

Configuration Sequence

Configuring application firewall requires performing the following sequence of actions:

Phase Description
Create Network Policy Set Create a network policy set with policies that define the network rules.
Create Forward Proxy Policy Set Create forward proxy policy set with the service policies that define the rules for the application traffic.
Create Fast ACL Set Create Volterra fast ACL set that defines the regulation of the traffic between source and destination.
Create Network Firewall Create network firewall with the network policy set, forward proxy policy set, and Fast ACL.
Add Network Firewall to Fleet Apply the network firewall to the fleet to protect the sites that are part of the fleet.

Note: Creation of network policy set, forward proxy policy set, or the fast ACL set is optional. However, it is recommended to protect your network by creating atleast one of the sets.


Create Network Policy Set

Creating network policy set consists of creating one or more network policy rules, creating one or more network policies with the rules, and associating the policy set with the policies. For detailed instructions, see Configure a Network Policy.

Step 1: Log into the VoltConsole and select the desired namespace or create a namespace. Select Security from configuration menu and Network Security from options pane.

Step 2: Select Network Policy Rules and Click Add network policy rule. Create the rule configuring a network prefix for which you want to apply the rule and select allow or deny action. It is recommended to create one or more rules so that you can define actions for ingress and egress traffic.

Step 3: Select Network Policies and click Add network policy. Create the policy defining the local endpoints and applying the rules created in Step 2.

Note: You can create one or more policies depending on your requirement.

Step 4: Select Network Policy set and click Add network policy set. Create the network policy set applying the policies configured in Step 3.


Create Forward Proxy Policy Set

Creating forward proxy policy set consists of creating one or more service policy rules, creating one or more service policies with the rules, and associating the service policy set with the policies. For detailed instructions, see Configure a Service Policy.

Step 1: Log into the VoltConsole and select the desired namespace or create a namespace. Select Security from configuration menu and Network Security from options pane.

Step 2: Select Service Policy Rules and Click Add service policy rule. Create the rule configuring properties of client application for which you want to apply the rule and select allow or deny action. You can create one or more rules to define controls for different clients.

Note: Configure client properties such as name, domain, HTTP or HTTPs headers, AS, etc. These are used as the match criteria in allowing or denying requests from a specific client.

Step 3: Select Service Policies and click Add service policy. Create the policy defining your application origin server properties and applying the rules created in Step 2.

Note: You can create one or more policies depending on your requirement.

Step 4: Select Service Policy set and click Add service policy set. Create the service policy set applying the policies configured in Step 3.


Create Fast ACL Set

Creating fast ACL set consists of creating one or more fast ACL rules, creating one or more fast ACLs with the rules, and associating the fasy ACL set with the fast ACLs. For detailed instructions, see Configure Fast ACLs.

Step 1: Log into the VoltConsole and select Security from the configuration menu. Select Fast ACL Rules under the Network Security in the options. Click Add fast ACL rule. The Fast ACL rule creation form loads.

Step 2: Create a fast ACL rule with an IP prefix or IP prefix set for the source and a Deny or Allow action. Create one or more rules as per your requirement.

Note:: The Allow and Deny actions are part of Simple Action option. You can apply more actions using the Policer Action or Protocol Policer Action options.

Step 3: Select Fast ACLs and click Add fast ACL. Select a virtual network type and destination type. Apply the rules created in Step 2 and create the fast ACL. Create one or more fast ACLs depending on your requirement.

Step 4: Select Fast ACL Sets and click Add fast ACL set. Create the fast ACL set applying the fast ACLs created in Step 3.


Create Network Firewall

Perform the following to create the network firewall with the network policy set, service policy set, and fast ACL set:

Step 1: Log into the VoltConsole and select Security from the configuration menu. Select Network Firewall under the Firewall in the options. Click Add network firewall to open the network firewall creation form.

Step 2: Set a name in Metadata section. Configure Select Forward Policy Configuration field in the Forward Proxy Policy section as per the following guidelines:

  • Select Active Forward Proxy Policies to apply specific active forward proxy policy created in the Create Forward Proxy Policy Set chapter. Select the policy in the Forward Proxy Policies field.
  • Select Forward Proxy (Service) Policy Set (Legacy) to apply the forward proxy policy set created in the Create Forward Proxy Policy Set chapter. Select the policy in the Forward Proxy (Service) Policy Set (Legacy) field.

Note: You can use Add item to add more than one policy or policy set.

Step 3: Configure Select Network Policy Configuration in the Network Policy section as per the following guidelines:

  • Select Active Network Policies to apply specific active network policy created in the Create Network Policy Set chapter. Select the policy in the Network Policy field.
  • Select Network Policy Set (Legacy) to apply the network policy set created in the Create Network Policy Set chapter. Select the policy in the Network Policy Set (Legacy) field.

Note: You can use Add item to add more than one policy or policy set.

NwFWPols
Figure: Network Firewall Forward Proxy and Network Policy Selection

Step 4: Configure Select Fast ACL Configuration in the Fast Acl section as per the following guidelines:

  • Select Active Fast ACL(s) to apply specific active fast ACL created in the Create Fast ACL Set chapter. Select the policy in the Fast ACL(s) field.
  • Select Fast ACL Set (Legacy) to apply the fast ACL set created in the Create Fast ACL Set chapter. Select the policy in the Fast ACL Set (Legacy) field.

Note: You can use Add item to add more than one fast ACL or fast ACL set.

NwFwFacl
Figure: Network Firewall Fast ACL Selection

Step 5: Click Continue to complete creating the network firewall.


Add Network Firewall to Fleet

Step 1: Select the system namespace. Select Manage from the configuration menu and select Site Management from the options pane. Select Fleets.

Step 2: Find the fleet for which you want to apply the network firewall and click ...->Edit.

Step 3: Click Select network firewall in the Network Firewall field. Select the firewalls from the list displayed in the form and click Select network firewall to apply the network firewall to the fleet.

fleet nwf
Figure: Fleet Network Firewall Selection

Step : Click Save Changes to update the fleet configuration.

fleet nwf upd
Figure: Fleet Network Firewall Updation


Concepts


API References