The Mgmt-FW in this use case is the VM-Series firewall that secures inbound management traffic, such as infrastructure updates that include DNS and apt-get updates for all web servers. This firewall is also the default gateway for all outbound traffic from the web farm to the internet.
Configure the VM-Series Firewall that Secures Outbound Access
Allocate and assign Elastic IP Addresses.
This use case requires one Elastic IP Address for the management interface of the VM-Series firewall and one for the dataplane interface that allows internet access from the VPC. See
Log in to the web interface of the VM-Series firewall using the Elastic IP Address assigned to the management interface.
Configure the network interfaces. Select
Network > Interfaces > Ethernet
and click the links to configure ethernet1/1 and ethernet1/2.
Configure a DHCP client on each interface and create and attach security zones to each interface.
When configuring the interface that is connected to the web farm (ethernet1/2 in this use case), clear the check box to
Automatically create default route to default gateway provided by server. For an interface that is attached to the private subnet in the VPC, disabling this option ensures that traffic handled by this interface does not flow directly to the internet gateway on the VPC.
Create service objects and a service group.
A service object allows you to specify the port number that an applications can useif you plan to usea non-default port for an application. You use these objects in NAT policy (
Step 7) so that the firewall can perform port translation to route traffic properly.
Objects > Services
the service objects to enable TCP access to the web servers on ports 10000, 10001, 10002, and 10003.
Combine these service objects into a service group. Select
Objects > Service Groups
a service group named Webserver_Services and
Web1, Web 2, Web3, and Web4 to the group.
Define security policy for sanctioned applications.
For example, allow SSH for inbound management and allow application and DNS updates to the web servers in the VPC. Because this use case employs non-default ports for SSH access, change the Service for SSH Management from ‘application-default’ to ‘Webserver_Services’ (the service group created in the last step) to define the ports thatprovide access to the web servers.
Define NAT policy rules. These rules ensure that the firewall performs IP address and port translation and secures all inbound and outbound traffic on the web server farm.
Create NAT rules for permitting inbound access to each web server. You need to enable destination translation to the service objects you defined earlier for each web server.
Create an outbound NAT rule that allows internet access for the web servers in the VPC. This rule allows the firewall to translate the source IP address as the public-facing interface on the management firewall. The AWS internet gateway then translates the private IP address to the Elastic IP Address associated with the interface for routing the traffic to the internet.
Port Translation for Service Objects for details on how the firewall performs IP address and port translation to properly route traffic.
To ensure that traffic is routed properly to the firewall, perform the following tasks on the AWS management console:
Create a route table for the web farm subnet and add a new route that directs all traffic from the web farm to the ENI that is attached to the web server subnet on the VM-Series firewall (Mgmt-FW).See
Disable source and destination checks on the dataplane network interface(s) assigned to the firewall. Disabling this option allows the interface to handle network traffic that is not destined to the IP address assigned to the interface. Select the network interface in the
tab on the EC2 Dashboard, for example eth1/1, and in the
Change Source/Dest. Check. Click