/
Using Edge Gateway Firewall

Using Edge Gateway Firewall

Owned by Tran Dai Quan
Last updated: Dec 17, 2024 by Tran Khanh Ngoc
6 min read

Overview

An edge gateway firewall monitors North-South traffic to provide perimeter security functionality, including firewall, Network Address Translation (NAT), and site-to-site IPSec and SSL VPN functionality.

Firewall rules to apply to an edge gateway firewall to protect the virtual machines in an organization's virtual data center from outside network traffic

Procedure

  1. I. Predefine Object

To create firewall rules and add them to an edge gateway, you need to define some things:

Name: Name for the rule.

Source: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)

Destination: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)

Application: Select applications with port to apply rule (1.5)

Action: Allow\Reject\Drop

IP Protocol: IPv4/IPv6 or both

  • Add an IP Set:

Step 1: IP sets are groups of IP addresses and networks to which the firewall rules apply (as Source and Destination).

Step 2: In the top navigation bar, click Networking and click Edge Gateways.

Step 3: Select the edge gateway that you want to edit

Step 4: Under Security, click IP Sets

Step 5: Click New.

Step 6: Enter a meaningful Name, and a Description for IP Sets

Step 7: Enter an IPv4 address, IPv6 address, or an address range in a CIDR format, and click Add.

Step 8: To modify an existing IP address or range, click Modify and edit the value.

Step 9: To confirm, click Save.

Please do not remove IP Sets name starting with HIGIO- (if any)

 

  • Create a Static Security Group:

Static security groups are data center group networks to which distributed firewall rules apply (as Source and Destination). Grouping networks helps you reduce the total number of distributed firewall rules that need to be created.

Step 1: In the top navigation bar, click Networking and click Edge Gateways.

Step 2: Select the edge gateway that you want to edit

Step 3: Under Security, click Static Groups.

Step 4: click New.

Step 5: Enter a Name and a Description for the static group, and click Save.

The static security group will appear in the list.

Step 6: Select the newly created static security group and click Manage Members.

Step 7: Select the data center group networks that you want to add to the static security group >> Save

 

 

  • Assign Security Tags to VM:

Security tags you create and assign to virtual machines help you define edge gateway and distributed firewall rules.

Step 1: In the top navigation bar, click Networking.

Step 2: Click Security Tags.

Step 3: Click Add Tag.

Step 4: Enter a tag name.

Step 5: From the list of virtual machines in the organization, select the ones to assign the newly created tag.

Step 6: Click Save.

 

  • Create a Dynamic Security Group:

You can define dynamic security groups of virtual machines based on specific criteria (VM Name or Tag Name) to which firewall rules should be applied.

Step 1: In the top navigation bar, click Networking and Edge Gateways.

Step 2: Select the edge gateway that you want to edit

Step 3: Under Security, click Dynamic Groups.

Step 4: Click New.

Step 5: Enter a Name and a Description for the dynamic security group.

Step 6: To create a Criterion for inclusion in the group, add up to four rules that apply to a VM Name or a VM security tag.

  • VM Name: a rule that applies to VM names that contain or start with a term that you specify.

  • VM tag: a rule that applies to VM tags that equal, contain, start with, or end with a term that you specify.

As figured out, I created 02 rules

  • VM Name: Start With “demo”

  • VM Tag: Equals “non-prd” (That you created in 1.3)

Step 7: Click Save.

 

Add a Custom Application Port Profile:

To create firewall rules, you can use preconfigured and custom application port profiles.

Application port profiles include a combination of a protocol and a port or a group of ports, used for firewall services. 

Step 1: In the top navigation bar, click Networking and click Edge Gateways.

Step 2: Select the edge gateway that you want to edit

Step 3: Under Security, click Application Port Profiles

Step 4: In the Custom Applications pane, click New.

Step 5: Enter a Name and a Description for the application port profile.

Step 6: From the Protocol drop-down menu, select the protocol: TCP, UDP, ICMPv4, ICMPv6

Step 7: Enter a port, or a range of ports, separated by a comma, and click Save.

  1. II. Add an Edge Gateway Firewall Rule

We have predefined Objects in the previous. We will create the edge gateway firewall rule as below:

Step 1: In the top navigation bar, click Networking and click Edge Gateways

Step 2: Select the edge gateway.

Step 3: Select Firewall under Services on the left.

Step 4: Click Edit Rules.

Step 5: To add a firewall rule, click New on Top.

Step 6: Configure the rule

Name: [Name of rule]

State: [Enable or disable rule by toggle]

Applications: Select default profiles or custom profiles that created in 1.5

Source: Select Any or Object created in 1.1, 1.2, 1.3, 1.4

Destination: Select Any or Object created in 1.1, 1.2, 1.3, 1.4

Action: Allow\Reject\Drop

IP Protocol: IPv4/IPv6 or both

Logging: [Enable or disable by toggle] enable to have the address translation performed by this rule logged

Step 7: Click Save.

After creating the firewall rules, they appear in the Edge Gateway Firewall Rules list. You can move up, down, edit, or delete the rules as needed.

End.

 

Related pages

How to create NAT rules on Edge Gateway
How to create NAT rules on Edge Gateway
Document for HI GIO Gen2
Read with this
Working with Organization VDC Networks
Working with Organization VDC Networks
Document for HI GIO Gen2
Read with this
Using Distributed Firewall in a Data Center Group
Using Distributed Firewall in a Data Center Group
Document for HI GIO Gen2
Read with this
1. IAM Portal
1. IAM Portal
Document for HI GIO Gen2
Read with this
Stretching layer 2 networks for HI GIO's DRaaS.
Stretching layer 2 networks for HI GIO's DRaaS.
Document for HI GIO Gen2
Read with this