Configure the VM-Series Firewall for Securing Outbound Access
from the VPC
The Mgmt-FW in this use case is the VM-Series firewall that secures inbound management traffic, such as infrastructure updates that include DNS and apt-get updates for all web servers. This firewall is also the default gateway for all outbound traffic from the web farm to the internet.
- Allocate and assign Elastic IP Addresses.
- Log in to the web interface of the VM-Series firewall using the Elastic IP Address assigned to the management interface.
- Configure the network interfaces. Selectand click the links to configure ethernet1/1 and ethernet1/2.NetworkInterfacesEthernet
- Configure a DHCP client on each interface and create and attach security zones to each interface.
- When configuring the interface that is connected to the web farm (ethernet1/2 in this use case), clear the check box toAutomatically create default route to default gateway provided by server. For an interface that is attached to the private subnet in the VPC, disabling this option ensures that traffic handled by this interface does not flow directly to the internet gateway on the VPC.
- Create service objects and a service group.A service object allows you to specify the port number that an applications can use if you plan to use a non-default port for an application. You use these objects in NAT policy (step 7) so that the firewall can perform port translation to route traffic properly.
- SelectandObjectsServicesAddthe service objects to enable TCP access to the web servers on ports 10000, 10001, 10002, and 10003.
- Combine these service objects into a service group. SelectandObjectsService GroupsAdda service group named Webserver_Services andAddWeb1, Web 2, Web3, and Web4 to the group.
- Define security policy for sanctioned applications.For example, allow SSH for inbound management and allow application and DNS updates to the web servers in the VPC. Because this use case employs non-default ports for SSH access, change the Service for SSH Management from ‘application-default’ to ‘Webserver_Services’ (the service group created in the last step) to define the ports that provide access to the web servers.
- Define NAT policy rules.These rules ensure that the firewall performs IP address and port translation and secures all inbound and outbound traffic on the web server farm.
- Create NAT rules for permitting inbound access to each web server. You need to enable destination translation to the service objects you defined earlier for each web server.
- Create an outbound NAT rule that allows internet access for the web servers in the VPC. This rule allows the firewall to translate the source IP address as the public-facing interface on the management firewall. The AWS internet gateway then translates the private IP address to the Elastic IP Address associated with the interface for routing the traffic to the internet.
- To ensure that traffic is routed properly to the firewall, perform the following tasks on the AWS management console:
- Disable source and destination checks on the dataplane network interface(s) assigned to the firewall. Disabling this option allows the interface to handle network traffic that is not destined to the IP address assigned to the interface. Select the network interface in theNetwork Interfacestab on the EC2 Dashboard, for example eth1/1, and in theActiondrop-down, selectChange Source/Dest. Check. ClickDisabledandSaveyour changes.
Recommended For You
Recommended videos not found.