1. Cytracom
  2. ControlOne
  3. Additional Configuration

Cytracom ControlOne: Firewall rules

Avatar
Mark Tichenor

Topic

This article discusses how to create and manage firewall rules in ControlOne. 

Environment

  • Cytracom ControlOne

Description

ControlOne automatically creates rules allowing full bidirectional communication between connected zones. When you connect zones to each other, you do not need to create any firewall rules to allow access. However, you can use firewall rules if you want to limit the traffic based on source/destination IP addresses, Fully Qualified Domain Names (FQDN), service ports, TCP/UDP/ICMP protocols, or geographic regions.

Why Would You Need FWaaS (Firewall as a Service)?

  • Granular Traffic Control: Restrict traffic based on IP addresses, FQDNs, country locations, ports, or protocols to enforce security policies.

  • East/West Protection: Secure communication between zones within your network to prevent lateral movement of threats.

  • Regulatory Compliance: Enforce location-based restrictions to comply with data sovereignty and privacy regulations.

  • Improved Security Posture: Block traffic from high-risk countries or disallowed services to reduce exposure to threats.

  • Custom Use Cases: Enable bespoke traffic controls for unique operational requirements.

How to Create and Manage Firewall Rules in ControlOne

 

Important Considerations

  • ControlOne automatically creates the proper firewall rules when you connect zones on the network map.
  • Firewall rules created through this procedure will apply globally at the Tenant level. For this reason, rules allowing "any source IP to any destination IP over any protocol and any port" are not permitted, as they would compromise network protections.
  • ControlOne uses network validation. If you specify invalid IP addresses or FQDNs during rule creation, the system will return an error.
  • An explicit Allow Any/Any rule is created by ControlOne at the end of the rule stack to enable zone communication.
  • Firewall rules are created on the Cloud Gateway Firewall and can inspect and filter any traffic flowing through it, including internet-bound or East/West traffic.

Navigating to the Firewalls Page

  1. In the ControlOne Portal, click the Firewall link in the Navigation menu.

Creating a Rule

  1. On the Firewalls page, click Add Rule in the upper-right portion of the window. A configuration window will open.

  2. Configure the rule in the following sections:

    New Firewall Rule: Specify the rule name, select the protocol, and add a description.

    Source:

    • Source IP: Select the source IP address, network address, or FQDN to match inbound or outbound traffic. 

    • Source Port: Specify a single port, port range, multiple ports (separated by commas), or Any.

    • Source Country: Use the country-based blocking option to restrict or allow traffic from specific geographic locations.

    Destination:

    • Destination IP: Select the destination IP address, network address, or FQDN to match destination traffic. 

    • Destination Port: Specify a single port, port range, multiple ports (separated by commas), or Any.

    • Destination Country: Use the country-based blocking option to restrict or allow traffic to specific geographic locations.

    Action:

    • Specify Allow or Deny for the traffic that matches your source and destination criteria. If you allow the traffic, use the Default Security Policy drop-down menu to select the appropriate Security Policy for this rule.

  3. Click Save to apply the rule.

To edit any rule you have created you simply click the rule from the main Firewall menu item.  This will pull up a dialog that will let you edit the same fields you used to build the rule.

Best Practices for Using FWaaS

  1. Start with Least Privilege: Define the most restrictive rules possible and expand only as needed.

  2. Use FQDNs for Dynamic Targets: When managing dynamic or cloud-based services, use FQDNs instead of IPs to ensure flexibility.

  3. Enable Country-Based Blocking for High-Risk Regions: Use geographic restrictions to block or allow traffic based on location.

  4. Review and Audit Regularly: Periodically review rules to ensure they align with current operational and security requirements.

  5. Document Rule Changes: Maintain a log of rule additions, modifications, and deletions for accountability and troubleshooting.

  6. Test Rules in a Staging Environment: Validate new rules in a test environment before applying them to production.

By leveraging ControlOne’s enhanced FWaaS capabilities, including FQDN and country-based blocking, you can implement more effective and granular network security controls tailored to your specific needs.

Still have questions? Click here to learn how to contact Cytracom Technical Support or open a ticket.

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful