Follow

How to Edit / Add Firewall Rules via Portal

Description

This page explains how to do the following in the Portal:

  • How to configure new firewall rules
  • How to edit existing firewall rules

What are Firewall Rules?

Firewall Rules configure what traffic is allowed or denied prior to returning to the customer's data center. Note: Customers can only make firewall rules for IP space that they own as part of their account.

The firewall filters are evaluated based on context of connections resulting in either permitting or denying traffic based on:

  • IP Source / Destination including prefix matching
  • Destination and source Ports including ranges 
  • Protocol types (UDP/TCP etc)

For TCP traffic, the context established via the first packet of a TCP session must match all subsequent packets in order for the session to remain active.

Proxy Configurations are default-deny on the Silverline infrastructure (ports and protocols are opened per Proxy deployment); this Firewall functionality is for routed services only. 

 

Environment

  • Routed DDoS

NOTE: Firewall Rules do not apply to Proxy customers. An iRule should be leveraged for any Proxy specific use cases. See iRules in Silverline: Scope of Support

 

Procedure 

1. Navigate to Config > Routed Configuration > Firewall Rules

Portal_Menu_Firewall_Rules.png

 2. Review the current list of Firewall Rules for IPv4 and IPv6 (2 separate tabs)

Description of columns below image.

Firewall_Rules_Redesign.png

Column Title Column Description
ID Unique Firewall Rule identification number
Source Prefix

Source IP prefix. "All" means rule applies to all source prefixes.

 

Destination Prefix

Destination IP prefix, inside of the range of addresses being advertised by Silverline. "All" means rule applies to all destination prefixes.

Protocol Protocol (i.e. TCP or UDP) that rule applies to. "All" means rule applies to all protocols
Source Port

If Source ports are relevant to the selected protocol, this shows the port range that the rule applies to. "All" means rule applies to all ports for that protocol.

Destination Port

If Destination ports are relevant to the selected protocol, this shows the port range that the rule applies to. "All" means rule applies to all ports for that protocol.

Description Any custom description the rule creator entered. 
Action

Shows whether the firewall rule will Allow or Deny incoming traffic.

  • If set to Allow, the relevant traffic is allowed and logged.
  • If set to Deny, the relevant traffic is blocked and logged.
State

Shows whether the firewall rule is On or Off.

The firewall rule must be On to start logging or blocking the desired traffic.

Firewall rules must be individually turned on or off.

Fragments

Shows whether the firewall rule will Allow or Deny fragments (for applicable protocols).

  • If set to Allow, fragments are allowed and logged.
  • If set to Deny, fragments are blocked and logged.

 

3. To Edit or Delete firewall rules, click the 3-dot menu next to the desired firewall rule.

Screen_Shot_2020-01-17_at_2.41.47_PM.png

  • Edit:
    • Go to step 5 for details on Configuration Options.
    • Go to step 6 for instructions on deploying edits to production. Users can now deploy firewall rules without SOC intervention for any rule edits to take effect.
  •  Delete:
    • Skip to step 6 for instructions on deploying deletions to production. Users can now deploy firewall rules without SOC intervention for any rule deletions to take effect.

4. To Add a new firewall rule, click the blue Add button in upper-right.

5. Fill in the information for the new firewall rule (descriptions of fields below image) and click Save See step 6 for instructions on deploying new rules to production. Users can now deploy firewall rules without SOC intervention for the newly created rules to take effect.

FirewallRules_NewIPv4Rule.png

Prefix Configuration
Source Prefix

Enter an IP prefix in the format of 1.2.3.0/24 (or relevant mask).

Check the "All Prefixes" box to apply the rule to all source prefixes.

Destination Prefix 

Enter an IP prefix in the format of 1.2.3.0/24 (or relevant mask). This is the destination prefix(es) inside of the range of addresses being advertised by Silverline.

Check the "All Prefixes" box to apply the rule to all destination prefixes.

Protocol

Select either All Protocols, or select a protocol such as TCP or UDP.

Note: The Port Configuration section only appears when a relevant Protocol is selected. i.e. it appears with TCP but not with ICMP.

 Options 
Action  Choose whether the firewall rule will Allow or Deny incoming traffic.
  • If set to Allow, the relevant traffic is allowed and logged.
  • If set to Deny, the relevant traffic is blocked and logged.
State Choose whether the firewall rule is On or Off.

The firewall rule must be On to start logging or blocking the desired traffic.

Fragments Choose whether the firewall rule will Allow or Deny fragments (for applicable protocols).
  • If set to Allow, fragments are allowed and logged.
  • If set to Deny, fragments are blocked and logged.

Port Configuration

Note: This section only appears when a relevant Protocol is selected above. i.e. it appears with TCP but not with ICMP.

Source Port / Range Start Enter a port range start value if you have elected to use a specific protocol. Enter any number between 1 and 65534.
Destination Port Range Start As above, but for the destination port.
Source Port End (optional) Port Range end number.
Destination Port End (optional) Port Range end number.
Description Optional internal notes on firewall rule.

 

6. After any changes to a firewall rule (added, edited, or deleted), click Deploy.
Screenshot_at_May_27_11-00-31.png

Screen_Shot_2020-01-17_at_2.47.36_PM.png

  • Recommendation: customers can review any firewall changes by navigating to the top menu bar "Audit" and click on "Activity Log".

Screen_Shot_2021-04-18_at_12.51.32_PM.png

      • After selecting "Activity Log" all changes made by users will be shown. To filter the firewall rule changes, select "Firewall Rule" from the "Type" drop-down menu.  Screen_Shot_2021-04-18_at_12.56.12_PM.png

7. Once deployed, any traffic traversing the Silverline firewall is subject to the enabled firewall rules. 

8. Recommendation: After configuration, go to Stats > Firewall Rules to check that your firewall rules are working as desired.

9. If there are questions about the configured firewall rules,  Contact SOC / Contact Silverline Support

 

 

Related Content

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request