Configuring vGW Series Firewall Policies

This topic covers how to create a firewall policy for a VM composed of the corporate Global Policy, two Group Policies for the groups that the VM is a member of, and one VM Policy rule applicable to the individual VM.

It covers the preliminary tasks of defining the reusable Global Policy and a Group Policy for one of the groups that the VM is a member of.

Before you begin this procedure, read Understanding the vGW Series Firewall Module. The procedure for composing an overall policy for a VM includes these parts:

Create a reusable Global Policy to be used as part of the VM policies for all VMs in your environment.

Note: This example focuses on defining an inbound policy only. The process of defining outbound policy mirrors it.

  1. Define a Global Policy. From the Firewall module, select Global Policy under the Policy Groups section in the VM Tree.

    The Global Policy page appears. It contains Inbound and Outbound sections. Each section contains a high-level Global Policy section and a low-level Global Policy section with a placeholder for Group Policy rules and individual VM Policy rules in the middle. Figure 64 shows the Global Policy with its default policy rules.

    Figure 64: Default Global Policy

     Default Global Policy
  2. Create an Inbound high-level Global Policy rule to prohibit use of Telnet.
    1. In the Inbound section, click Add in the # column under the first section labeled Global Policy to add a rule.
    2. For the Sources policy term, leave the default value Any unchanged.

      You want the rule to apply to all VMs.

    3. Click Any in the Protocols column, and enter telnet in the Filter box. The filter scrolls to telnet.
    4. Select telnet, and click the right arrow to move telnet from the All Protocols section to the Selected Protocols section. See Figure 65.

      Figure 65: Adding a Global Policy Rule to Reject Telnet Connection Attempts

      Adding a Global Policy Rule to Reject Telnet
Connection Attempts
    5. Click Allow in the actions column and select Reject from the Action options list. You want to reject all inbound Telnet connections attempts for all VMs in your environment.
    6. Leave the check mark default setting for Logging unchanged. Although they are rejected, you want to log any Telnet connection attempts.
  3. Leave the low-level Global Policy rule unchanged.

    By default, the last rule serves as a “clean-up” rule that catches all inbound connection attempts to this VM that have fallen through the rest of the policy rule base. It rejects them, and it specifies that vGW Series should create a log entry for the event.

  4. Click Save Policy.

Modify the Group Policy for the Window VMs Policy Group to control rule execution precedence.

This procedure allows you to modify an existing Group Policy to change rule execution precedence. You want to ensure that a rule currently positioned in the low-level Group Policy section is not overridden by a VM Policy rule that might be inserted above it when an individual VM policy that includes the Group Policy is created. You want that rule to be executed before any VM Policy rules. To achieve that result, move the rule up from the low-level Group Policy section to the high-level Group Policy section.

Note: This example focuses on defining an Inbound policy only. An outbound policy definition process mirrors it.

  1. In the Policy Groups section of the VM tree, select Windows VMs.

    Notice that the high-level and low-level Group Policy sections are nested within the high-level and low-level Global Policy sections.

    indicates the placeholder for adding VM Policy rules at the center of the Group Policy section.

  2. Move the network management rule from the low-level Group Policy section to the high-level Group Policy section so that any VM Policy rule for an individual VM Policy rule added later cannot override it. See .
  3. Click Save Policy.

Create a VM Policy for an individual VM

This procedure covers how to create individual VM policy rules for the WWW-HR-IIS VM that inherits the Global Policy and the Group Policies for the groups that it is a member of. An individual VM can belong to more than one Policy Group. When that is the case, the VM inherits the Group Policies for all of the Policy Groups that it belongs to. In this example, the WWW-HS-IIS VM is a member of two Policy Groups: WWW Servers and Windows VM.

This example focuses on the Inbound section of the VM Policy.

  1. To display the VM Policy for the WWW-HR-IIS VM, select WWW-HR-IIS in the Windows VMs under Policy Groups in the VM Tree.

    Tip: Because WWW-HR-IIS belongs to two groups, you can select it under either of its groups to display its VM Policy page.

    The VM Policy for WWW-HR-IIS page is composed of the following nested parts that were previously built:

    • the high-level and lower-level Global Policy rules forming the outer layer of the nest.
    • a high-level Group Policy section below the high-level Global Policy. It states that the VM Policy contains two Policy Groups with a rule defined in only one of them.
    • a middle section called VM Policy for WWW-HR-IIS. You can add VM Policies specifically for the VM to this section.
    • the low-level Group Policy section that indicates that the VM belongs to two Policy Groups and that it inherits their Group Policies that include two rules.
    • the low-level Global Policy.

    Figure 66 shows the policy.

    Figure 66: VM Policy for an Individual VM

    VM Policy for an Individual VM
  2. To see the entire rule base for the VM, expanding the policies that it inherited to show their rules, click show all in the upper-right corner of the page.

    See Figure 67.

    Figure 67: Complete VM Policy for an Individual VM

     Complete VM Policy for an Individual VM

Apply the VM Policy.

When you define a firewall policy for a VM, it is not automatically applied. You must use the Firewall module Manage Policy tab to install it. This procedure installs a firewall policy for a single VM: AltorMiniLinux3.

  1. Select the Firewall module. Select All Machines in the VM Tree. The following page is displayed.
  2. Select the VM and click Install. In this example, All Machines is selected . After the firewall policy is installed on the VMs, the message shown in the following figure is displayed.

Related Documentation