Configure a Hardware Firewall

Introduction

A Hardware Firewall (Shared) is a network device that is connected upstream from a server. The Firewall blocks unwanted traffic from a server before the traffic ever reaches the server. The main advantage to having a Hardware Firewall is that a server only has to handle 'good' traffic and no resources are wasted dealing with the 'bad' traffic.  The Hardware Firewall (Shared) leverages a multi-tenant enterprise platform to protect an individual server.  It can be purchased with the server or added on later.  It delivers virtualized network security through its Virtual Domain (VDOM) technology, providing virtualized security domains that are separately provisioned and managed.  Because there are multiple customers associated with the hardware, if the firewall fails or is overwhelmed by an attack, every customer that shares a Hardware Firewall (Shared) instance may be impacted.  Up to 79 firewall rules can be configured for the for the primary and statically routed IP addresses assigned to the server.  Reports for Shared Firewalls are available based on the activity of a single IP for a selected date range.

Configuring the firewall is as simple as creating a set of rules to allow access to certain ip addresses/ports from specific internet addresses while denying traffic from other sources.

Intended Use: Single Server Protection

User Interface: Integrated into SoftLayer Control Portal and SoftLayer API

Features: Stateful Packet Inspection, Ingress Firewall Rules, IPv4, IPv6, Basic Logging

Throughput: 10Mbps, 100Mbps, 1000Mbps, or 2000Mbps (It is required that the throughput of Hardware Firewall (Shared) match the Uplink speed of the Server the firewall is being added to)

 

Adding a Firewall to a Server

To add a firewall to a server, click on the link  Devices > Device List > Click the desired server > Configuration > Bottom of the page: Order Hardware Firewall in the customer portal. This will begin the order process for an appropriate firewall based on the uplink speed of the selected server.  If you receive an error, see the "Product Limitations" section below and/or contact SoftLayer support.

 

Editing Rules

When a firewall is first added to a server, a set of rules is initially put in place that allows all traffic to reach the server. The rules can then be edited to control the traffic reaching the server.

From the device list in the control portal, select the firewall protected device.  Browse to the "Firewall" tab.

Ensure the "status" indicates that the firewall is "Processing All Rules."  Users can choose to bypass the rules in the event that implemented rules have an unintended impact on their environment by clicking "Bypass Rules" in the "Actions" drop-down.

The page will display blocks showing the current rules in effect for IPv4 and IPv6 addresses.  If no rules are implemented, a faded placeholder will be displayed.  At this point links are available to edit the current rules.  This list of rules is known as the 'working config'. A 'working config' is a set of rules that is in the process of being created but has not yet been applied to the Firewall. A user may edit, add, and delete rules until the rule set is completed.  Rules are displayed in the order in which they are processed with lower numbered rules having precedence over higher number rules (if rule 1 allows a packet through, rules 2 and beyond are ignored by the packet).

The fields are:

  • Order - This field contains the rule number.  Rules can be moved up or down the list with the provided arrows.
  • Action - this select list is used to 'permit' or 'deny' traffic matching this rule
  • Source - this field can be either 'any' or a specific ip address or the network address for a specific subnet.
  • CIDR - This field indicates the standard CIDR notation for the selected source.  "32" will implement the rule for a single IP while, for example, "24" will implement the rule for 256 IPs.
  • Destination - This field selects the destination IP (see the "Product Limitations" section below if there are issues)
  • CIDR - This field indicates the standard CIDR notation for the selected destination.
  • Port Range: These 2 fields indicate the range of ports (between 1 and 65535) that the rule will apply to.
  • Protocol - This field selects the protocol the rule will apply to (TCP/GRE/ICMP/UDP/PPTP/AH/ESP)

Common Ports

FTP - 21 
SSH - 22 
Telnet - 23 
SMTP - 25 
DNS - 53 
HTTP - 80 
POP3 - 110 
IMAP - 143 
HTTPS - 443 
MSSQL - 1433 
MySQL - 3306 
Remote Desktop - 3389 
PostgreSQL - 5432 
VNC Web - 5800 
VNC Client - 5900 
Urchin - 9999 or 10000

Applying Rules

Once the 'working config' is complete, press the 'Update Rules' button to have the 'working config' applied to the Firewall. The rules should take effect within 2 minutes.

 

Bypassing the Firewall

To temporarily allow all traffic through the firewall, select Actions -> Set Rule Bypass.  This feature is intended for use if there is a suspected issue with the implemented rules.  A rule is put in place to allow all traffic to pass through. This takes approximately 2 minutes to take effect. The last set of applied rules is still stored and may be put back into effect at any time by re-applying the configuration. While in bypass mode, the status area on the Firewall management pages will display "Bypassing All Rules."

 

Viewing Log Reports

Logs are available on a per-IP basis by navigating to the protected device, selecting the Firewall tab, and clicking Actions -> Firewall Logs. Logs are presented in .CSV format and contain the following:

Event Type: The action taken by the firewall (Deny)

Protocol: The protocol used for communication (TCP/PING/UDP/IRD/etc)

Source IP Address: IP where the packet originated

Source Port: Port where the packet originated

Destination IP: Intended target for the packet

Destination Port: Intended port for the packet

Creation Date: Date and time of action (24-hour format)

 

Managing via the SoftLayer API

The Hardware Firewall is manipulated through the SoftLayer_Network_Component_Firewall service.  A "getting started" guide is also available.

 

Cancelling a Firewall

Firewalls can be cancelled at any time by navigating to the protected device, selecting the Firewall tab, and clicking Actions -> Cancel Firewall.  Note that this will leave the device without frontend firewall protections.

 

Product Limitations

A shared Hardware Firewall cannot be deployed to a server on a VLAN that meets any of the following criteria.  In these instances, a new VLAN must be established for the Firewall or another product must be selected.

  • Is currently associated with a Network Gateway, Hardware Firewall, or Fortigate Security Appliance
  • Contains 30 or more servers
  • Has a primary subnet that is larger than a /28

Not available for 10Gb servers

Maximum of 79 firewall rules per shared Hardware Firewall

Portable subnets not protected

Incompatible with Windows Network Load Balancing (NLB) due to the way ARP is processed