[Sangfor HCI]Distributed Firewall 설명(YouTube자막)
Sangfor aCloud Distributed firewall configuration guide
In this video we will talk about how to configure distributed firewall.
The purpose of the distributed firewall is to allow administrator to apply access control for their internal virtual machine or network device.
The firewall access control list can be configured based on single IP address, IP group, specified virtual machine or VM tags.
To use a distributed firewall, requires to enable it in the network virtualization aNET authorization.
To apply firewall rule to the VM, an IP address must be configured in the VM.
Next I will show a simple case study for better understanding.
For the case study,
- customer environment might have security risk because the server and VM directly connected to the edge interface.
- An Outsider might use the PING command to discover the internal server’s IP address.
- In this scenario, Distributed Firewall can be configured to enhance security.
- When outsider trying to use PING command
- Distributed Firewall will take effect to block the PING command
- On other hands, also can be used to prevent internal user Win7 to use PING command.
Next, I will show you how to configure Distributed Ffirewall.
Go to “Networking”.
Select “Distributed Firewall”.
The default policy will be auto generated and allow all sources to access all the destination with all services.
It can change to “Reject” action, but not allow to “Disable”.
Next, click “New” to create a new policy.
Enter the policy name.
For the “Match Clause”, requires to specify the source and destination.
Tthere are 3 options can be selected.
First option, “any IP address”.
Second option, “Specified IP address”. It can divide into two sub options “IP Groups” and “IP Addresses”.
For the “IP Groups”, it can create a group for the IP range.
Enter the Name, Description and IP range.
The format can be IP address, IP range and subnet.
Click “OK”.
For the IP addresses, the format can be IP address, IP range and subnet.
Enter the IP address and click “OK”.
Third option, “Specified virtual machines”.
You can specify the virtual machine, VM Group or VM Tag.
To specify the virtual machine, require to select the VM.
For the VM Group, all the VM under the group will be selected.
For the VM Tag, you can add a new Tag or select previous Tag.
The Tag here referring to the tag assigned to the VM.
For demo purpose, I will select Windows 7 as source.
And Windows server 2016 as destination.
For the services, you may select the predefined service or create a custom service.
Click “New” to create a custom service.
Enter the “Name”, select the “Protocol”, enter the “Port” number.
After creating the custom service, you are able to delete it.
I will select ping service for demo purpose.
Next, select “Reject” action.
Click “OK” to save it.
The policy can be deleted by clicking “Delete”.
It follows the standard access control top-down approaches.
This indicates top policy will be applied first before goes the second policy.
You can click on “Move Up” and “Move Down” to move the policy.
For the IP Group, you can edit and delete the existing group.
Also you can create a new group.
The policy can be filtered by IP Address, the Virtual Machine, VM Group and
Tag.
After configuring filter, it will display the policy in which the source or destination related to the IP address.
You can click on “Exit” to exit the filter.
Next, go to “Dropped Packet Logging”.
For the logging, it will display the traffic blocked by the firewall policy.
You can select “All” or “Specified” the IP address.
By “Enable Passthrough”, it will allow traffic to bypass the firewall policy.
Click “OK”.
You can click on “Close” to exit logging.
How to test whether firewall policy work
Open “CMD” and PING to the server.
The results show PING successfully.
Next, create a firewall policy and set to “Reject” action.
PING to the server again.
The results show the PING failed
To prove it is blocked by firewall.
Go to enable “Dropped Packet Logging”.
Enter the IP address and click “OK”.
PING to the server again.
The results show the PING failed.
Next, check on the “Dropped Packet Logging”.
The log shows the PING traffic was blocked by the firewall.
In the end of this tutorial, we have learned on how to configure Distributed Firewall, how to test whether the policy work.
