Using Edge Gateway Firewall

Owned by Tran Dai Quan
May 18, 2023
5 min read

Overview

An edge gateway firewall monitors North-South traffic to provide perimeter security functionality including firewall, Network Address Translation (NAT) as well as site-to-site IPSec and SSL VPN functionality.

Firewall rules to apply to an edge gateway firewall to protect the virtual machines in an organization virtual data center from outside network traffic

Procedure

I. Predefine Object

To create firewall rules and add them to an edge gateway, you need to define some things:

  • Name: Name for the rule.

  • Source: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)

  • Destination: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)

  • Application: Select applications with port to apply rule (1.5)

  • Action: Allow\Reject\Drop

  • IP Protocol: IPv4/IPv6 or both

1.1 Add an IP Sets:

IP sets are groups of IP addresses and networks to which the firewall rules apply (as Source and Destination).

  1. In the top navigation bar, click Networking and click Edge Gateways.

  2. Select the edge gateway that you want to edit

 

3. Under Security, click IP Sets

4. Click New.

5. Enter a meaningful Name, a Description for IP Sets

6. Enter an IPv4 address, IPv6 address, or an address range in a CIDR format, and click Add.

7. To modify an existing IP address or range, click Modify and edit the value.

8. To confirm, click Save.

Note: Please do not remove IP Sets name starting with HIGIO- (if any)

1.2 Create a Static Security Group

Static security groups are groups of data center group networks to which distributed firewall rules apply (as Source and Destination). Grouping networks helps you to reduce the total number of distributed firewall rules to be created.

  1. In the top navigation bar, click Networking and click Edge Gateways.

  2. Select the edge gateway that you want to edit

3. Under Security, click Static Groups.

4. click New.

5. Enter a Name, a Description for the static group, and click Save.

The static security group will appear in the list.

6. Select the newly created static security group and click Manage Members.

7. Select the data center group networks that you want to add to the static security group >> Save

1.3 Assign Security Tags to VM

Security tags that you create and assign to virtual machines help you to define edge gateway firewall rules and distributed firewall rules.

  1. In the top navigation bar, click Networking.

  2. Click Security Tags.

  3. Click Add Tag.

  4. Enter a tag name.

  5. From the list of virtual machines in the organization, select the ones to which to assign the newly created tag.

  6. Click Save.

 

1.4 Create a Dynamic Security Group

You can define dynamic security groups of virtual machines based on specific criteria (VM Name or Tag Name) to which to apply firewall rules.

  1. In the top navigation bar, click Networking and click Edge Gateways.

  2. Select the edge gateway that you want to edit

 

3. Under Security, click Dynamic Groups.

4. Click New.

5. Enter a Name, a Description for the dynamic security group.

6. To create a Criterion for inclusion in the group, add up to four rules that apply either to a VM Name or to a VM security tag.

  • VM Name: a rule that applies to VM names which contain or start with a term that you specify.

  • VM tag: a rule that applies to VM tags which equal, contain, start with, or end with a term that you specify.

As figure out, I created 02 rules

  • VM Name: Start With “demo”

  • VM Tag: Equals “non-prd” (That you created in 1.3)

7. Click Save.

1.5 Add a Custom Application Port Profile

To create firewall rules, you can use preconfigured application port profiles and custom application port profiles.

Application port profiles include a combination of a protocol and a port, or a group of ports, that is used for firewall services. 

 

 

  1. In the top navigation bar, click Networking and click Edge Gateways.

  2. Select the edge gateway that you want to edit

3. Under Security, click Application Port Profiles

4. In the Custom Applications pane, click New.

5. Enter a Name and, a Description for the application port profile.

6. From the Protocol drop-down menu, select the protocol: TCP, UDP, ICMPv4, ICMPv6

7. Enter a port, or a range of ports, separated by a comma, and click Save.

 

II. Add an Edge Gateway Firewall Rule

We have predefined Objects in previous. We will create the edge gateway firewall rule as below:

  1. In the top navigation bar, click Networking and click Edge Gateways.

  2. Select the edge gateway.

3. Select Firewall under Services on the left.

4. Click Edit Rules.

5. To add a firewall rule, click New on Top.

NOTE: Each traffic session is checked against the top rule in the firewall table before moving down the
subsequent rules in the table. The first rule in the table that matches the traffic parameters is
enforced.

6. Configure the rule

Name: [Name of rule]

State: [Enable or disable rule by toggle]

Applications: Select default profiles or custom profiles that created in 1.5

Source: Select Any or Object created in 1.1, 1.2, 1.3, 1.4

Destination: Select Any or Object created in 1.1, 1.2, 1.3, 1.4

Action: Allow\Reject\Drop

IP Protocol: IPv4/IPv6 or both

Logging: [Enable or disable by toggle] enable to have the address translation performed by this rule logged

7. Click Save.

After the firewall rules are created, they appear in the Edge Gateway Firewall Rules list. You can move up, move down, edit, or delete the rules as needed.

Note: Please do not remove rules name starting with HIGIO- (if any)