Topic
This article discusses how to manage firewall rules in ControlOne.
Environment
- Cytracom ControlOne
Description
ControlOne automatically creates rules allowing full bidirectional communication between connected zones. When you connect zones to each other, you do not need to create any firewall rules to allow access. However, you can use firewall rules if you want to limit the traffic based on source/destination IP addresses, service ports, and TCP or UDP protocols.
ControlOne creates the appropriate firewall rules as part of the network creation process. You do not need to create firewall rules to get things working. Use this procedure only if you require additional rules based on your specific use case.
Adding and managing additional firewall rules
Important considerations
- ControlOne automatically creates the proper firewall rules when you connect zones on the network map.
- Firewall rules created through this procedure will apply globally at the Tenant level. For this reason we do not permit the creation of rules that allow "any source IP to any destination IP over any protocol and any port," as it would cause protections to break.
- ControlOne uses network validation. If you specify invalid IP addresses during rule creation, the system will return an error.
- In order to let zones communicate, ControlOne creates an explicit Allow Any/Any rule at the end of the rule stack.
- Firewall rules are created on the Cloud Gateway Firewall, and can inspect and filter any traffic flowing through it, be it to and from the internet or East/West between zones.
Navigating to the Firewalls page
In the ControlOne Portal, click the Firewall link in the Navigation menu.
Figure 1: The Navigation menu (click to enlarge)
Creating a rule
On the Firewalls page, click Add Rule in the upper right hand portion of the window. A configuration window will open.
Figure 2: The Firewall Rule Configuration window (click to enlarge)
This window is divided into four sections, each representing a condition necessary to create the rule:
1. New Firewall Rule: Specify the rule name, select the protocol, and add a description.
2. Source: Use the drop-down menus to configure the following parameters:
- Source IP: Select the source IP address, or network address, to match inbound or outbound traffic. You can select Any or specify individual IP addresses.
- Source Port: Use this field to select the source port number to match for inbound or outbound traffic. You can specify a single port, port range, multiple ports (separated by commas), or Any.
3. Destination: Use the drop down menus to configure the following parameters:
- Destination IP: Select the destination IP address, or network address, to match inbound or outbound traffic. You can specify individual IP addresses, or select Any.
- Destination Port: Use this field to select the destination port number to match for inbound or outbound traffic. You can specify a single port, port range, multiple ports (separated by commas), or Any.
4. Action: In this section, click the Allow or Deny button to specify how traffic that matches your source and destination criteria should be handled. If you allow the traffic, you must use the Default security policy drop-down menu to select a security policy.
When finished, click Save.
Still have questions? Click here to learn how to contact Cytracom Technical Support or open a ticket.