Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Host-based Firewalls


This topic discusses the host-based firewall feature introduced in Contrail Networking Release 2003.

Host-based Firewalls Overview

Contrail Networking Release 2003 provides beta support for the host-based firewall feature which enables the creation of next generation firewalls using cSRX devices. Next-generation firewalls provide the ability to filter packets based on applications. They provide deep-packet inspection with intrusion detection and prevention at the application level.

Historically the vRouter has supported creation of regular Layer 4 firewall policies. To create Layer 7 application-level firewall policies, Contrail Networking uses service chaining. However, service chaining works only in cases of inter-virtual network traffic and not for intra-virtual network traffic. The host-based firewall feature offers next-generation firewall functions for traffic originating and ending in the same virtual network as well as in different networks. It uses the bump in the wire mode where the firewall instance does not change the packet format or Layer 2 header but applies Layer 7 policies on the packet.

Additionally, the host-based firewall feature uses tag-based policies to steer traffic. Tags are a simple and intuitive way of applying firewall intents and have the power to span multiple VNs, scale better, and can be attached at a VMI level as opposed to service chains. You can steer traffic towards the host-based firewall instance using tag-based policies. Policies are used to steer only specific traffic since the host-based firewall instance requires a fair amount of compute resources.

Also, host-based firewalls provide next-generation firewall functions closer to the workloads and can integrate with third-party firewall features.

Deploying Host-based Firewalls

Perform the following steps to deploy a host-based firewall. In this example we use Kubernetes as the orchestration platform since Kubernetes provides the flexibility to instantiate host-based firewall instances on selected compute nodes. The high-level list of steps are as follows:


Install a Contrail-Kubernetes setup by using either contrail-ansible deployer or Contrail Command. See Provisioning of Kubernetes Clusters or Installing Standalone Kubernetes Contrail Cluster using the Contrail Command UI.


Consider the following sample Contrail-Kubernetes topology and instances.yml file.

Figure 1: Sample Contrail-Kubernetes Topology
Sample Contrail-Kubernetes Topology

Sample instances.yaml file

Deployment Instructions

Step-by-Step Procedure

To deploy a host-based firewall.

  1. Create a namespace in Kubernetes. The namespace creates an equivalent project in Contrail.
    1. Create a namespace.
    2. Enable isolation on the namespace.
    3. Verify namespace creation.
  2. Label the compute nodes for the host-based firewall function.

    1. Get the list of compute nodes.
    2. Select the nodes for the host-based firewall function and label them.

      Where server is the Kubernetes node name and hbf is the label.

  3. Create a Kubernetes secret object in the namespace created earlier to pull the cSRX image.
  4. Create a hbs object in the previously created namespace.
    1. Create a python file with the following content and use the following command on the config_api Docker container.
  5. Create a daemonset for the host-based firewall instances. By default, host-based firewall instances run on all compute nodes. You can choose to run host-based firewall instances on specific compute nodes only by labeling them as shown in b. The host-based firewall instance has three interfaces. The traffic flows in to the left interface and firewall functions are performed on the packets and traffic flows out of the right interface. The management interface is the default pod network.
    1. Generate a ds.yaml file as shown in the following example to create a daemonset with the cSRX container image. The left and right interfaces are automatically created and link to the hbs object with 'left' and 'right' so that traffic flows marked for the host-based firewall are steered through the cSRX device. Note that, Kubernetes objects names and values can be changed as per your requirement.
    2. Create the Kubernetes objects which will in turn create a cSRX pod with the left and right interfaces on each compute node for each namespace.
    3. Verify the objects, daemonset, network attachment definitions, and the cSRX pods.
    4. Configure the cSRX pods of the daemonset on each compute node with the following configuration.
  6. Create a network policy between left and right interfaces using the vnc API or through Contrail Command.

    Network policies are necessary only for inter-virtual network traffic and not for intra-virtual network traffic.

  7. Create a firewall policy and enable host-based firewall for the firewall rules.

    Create tags, application policy sets (APS), as well as create Firewall Policy and Firewall Rule under project scoped rules. Enable host-based firewall on the firewall rules and set host_based_service = True.

  8. When the traffic goes through the host-based firewall, the cSRX on the corresponding compute nodes creates the host-based firewall flow and respective sessions.
Release History Table
Contrail Networking Release 2003 provides beta support for the host-based firewall feature which enables the creation of next generation firewalls using cSRX devices.