Configure a Hardware Firewall (Dedicated)

Introduction

A Hardware Firewall (Dedicated) is a dedicated single-tenant network device that is connected upstream from a server and protects any or all servers on a public VLAN. The Firewall blocks unwanted traffic from a server before the traffic ever reaches the server. The main advantage is that a server only has to handle 'good' traffic and no resources are wasted dealing with the 'bad' traffic.  It is purchased separate from a server order and can be added to a public VLAN at any time.  Firewall rules can be applied on a per-IP or per-subnet basis.  High availability can also be ordered which provides two appliances in active-passive deployment with synchronized configurations.

Configuring the firewall is as simple as creating a set of rules to allow access to certain ip addresses/ports from specific internet addresses while denying traffic from other sources.

Intended Use: Single Public VLAN Protection

User Interface: Integrated into SoftLayer Control Portal and SoftLayer API

Features: Stateful Packet Inspection, VLAN Protection, Ingress Firewall Rules, Basic Logging, IPv4, IPv6, High Availability (Optional)

Throughput: 2000Mbps

 

Adding a Hardware Firewall (Dedicated) to a public VLAN

Navigate to Network -> IP Management -> VLANs

Filter By "Primary Router: fcr" to view only your Public VLANs (optional)

Each row represents a VLAN in your infrastructure.  SoftLayer populates the "VLAN Number" and "Primary Router" information automatically indicating the true VLAN number and the router that it is configured on.  The "Name" field is left for users to define a recognizable name (Such as DMZ, Intranet, Public, or Database).

The far right column (Gateway / Firewall) contains a details about what hardware firewall protection is in place.  Click on "Add Firewall" for the appropriate VLAN.  If the field is already populated, a firewall or Network Gateway is already associated with the VLAN, that device must be removed from the VLAN before you can proceed.

You will be presented with your Firewall options.  These options include a "Hardware Firewall (Dedicated)" and a "Hardware Firewall (High Availability)".  The High Availability option deploys the same hardware and interface, but deploys a second passive node to continue processing traffic if the active node fails.  High Availability reduces the risk of excessive downtime.  Select one of the two options.  You can also click the "Servers on this VLAN" button to ensure you are selecting the appropriate VLAN.

A Hardware Firewall (Dedicated) cannot be ordered as part of a server order and must be placed after at least one public compute node is established (adding the associated VLAN to the user's account).

 

Editing Rules

When the Firewall is first added to the VLAN, a set of rules is initially put in place that allows all traffic through the firewall. Rules can then be added to control the traffic.

Navigate to Network -> IP Management -> VLANs

Filter By "Primary Router: fcr" to view only your Public VLANs (optional)

Each row represents a VLAN in your infrastructure.  Click on the Firewall-vlanXXXX.networklayer.com link associated with the VLAN you want to manage.

Ensure the "Status" indicates that the firewall is "Processing All Rules."  Users can choose to bypass the rules in the event that implemented rules have an unintended impact on their environment by clicking "Bypass Rules" in this area.

To continue with editing rules, click on the "Rules" tab.

The page will display sections showing the current rules in effect for IPv4 and IPv6 addresses.  If no rules are implemented, a faded placeholder will be displayed.  If rules exist they can be edited by clicking on the corresponding row.  This list of rules is known as the 'working config'. A 'working config' is a set of rules that is in the process of being created but has not yet been applied to the Firewall. A user may edit, add, and delete rules until the rule set is completed.  Rules are displayed in the order in which they are processed with lower numbered rules having precedence over higher number rules (if rule 1 allows a packet through, rules 2 and beyond are not applied to the packet).

The fields are:

Order: The rule's order number. Rules can be moved up or down the list with the provided arrows and are enforced from top to bottom.

Action: 'permit' or 'deny' traffic matching this rule

Source: Can be either 'any' or a specific ip address or the network address for a specific subnet.

CIDR: Indicates the standard CIDR notation for the selected source.  "32" will implement the rule for a single IP while, for example, "24" will implement the rule for 256 IPs.

Destination: Can be either 'any' or a specific ip address or the network address for a specific subnet.

CIDR: Indicates the standard CIDR notation for the selected destination.

Port Range: These 2 fields indicate the range of ports (between 1 and 65535) that the rule will apply to.

Protocol: Selects the protocol the rule will apply to (TCP/GRE/ICMP/UDP/PPTP/AH/ESP)

Common Ports

FTP - 21 
SSH - 22 
Telnet - 23 
SMTP - 25 
DNS - 53 
HTTP - 80 
POP3 - 110 
IMAP - 143 
HTTPS - 443 
MSSQL - 1433 
MySQL - 3306 
Remote Desktop - 3389 
PostgreSQL - 5432 
VNC Web - 5800 
VNC Client - 5900 
Urchin - 9999 or 10000

Applying Rules

Once the 'working config' is complete, press the 'Update Rules' button to have the 'working config' applied to the Firewall. The rules should take effect within 2 minutes.

 

Bypassing the Firewall or Firewall rules

If a user wants to have all traffic temporarily route around the firewall, select Actions -> Set Route Bypass.  This takes approximately 2 minutes to take effect.  This feature is intended for use if there is a suspected firewall issue not related to the implemented firewall rules.  While in bypass mode, the status area on the Firewall management pages will display "Routing AROUND firewall"

To temporarily allow all traffic through the firewall, select Actions -> Set Rule Bypass.  This feature is intended for use if there is a suspected issue with the implemented rules.  A rule is put in place to allow all traffic to pass through. This takes approximately 2 minutes to take effect. The last set of applied rules is still stored and may be put back into effect at any time by re-applying the configuration. While in bypass mode, the status area on the Firewall management pages will display "Bypassing All Rules."

 

Viewing Log Reports

Logs are available on a per-IP basis by navigating to the firewall management screen and completing the "Export Report for" fields. Logs are presented in .CSV format and contain the following:

Event Type: The action taken by the firewall (Deny)

Protocol: The protocol used for communication (TCP/PING/UDP/IRD/etc)

Source IP Address: IP where the packet originated

Source Port: Port where the packet originated

Destination IP: Intended target for the packet

Destination Port: Intended port for the packet

Creation Date: Date and time of action (24-hour format)

 

Managing via the SoftLayer API

The Hardware Firewall is manipulated through the SoftLayer_Network_Firewall_AccessControlList service.  A "getting started" guide is available.

 

Cancelling the Firewall

Firewalls can be cancelled at any time by navigating to the firewall management page and clicking Actions -> Cancel Firewall.  Note that this will leave all devices on the VLAN without frontend firewall protections.

 

Product Limitations

Incompatible with Windows Network Load Balancing (NLB) due to the way ARP is processed

High Availability failover functionality is not exposed to the user.  If the master firewall malfunctions, but does not failover automatically a support ticket will be required.  Device monitoring for critical services is recommended to ensure that firewalls are appropriately passing traffic.

A Hardware Firewall (Dedicated) cannot be deployed on a VLAN that is currently associated with a Network Gateway, Hardware Firewall, or Fortigate Security Appliance.