# Firewalls

# New firewall/Cluster

# New Firewall

To create a new firewall just right click over the Firewalls/clusters tree root node and select New firewallfrom the menu.

New Firewall

You will presented a form in which you should write the name of your new firewall. Also you can fill in the Description and the SSH credentials.

FWCloud requires SSH access to the firewall for manage it. When FWCloud needs access to this firewall it will use the SSH User and Password credentials defined here. If you don't supply these credentials, they will be requested when needed.

WARNING

For security you can keep the password field blank and the password will be asked every time when needed

SSH credentials

The SSH credentials sent from FWCloud-UI to FWCloud-API are encrypted using strong PGP public key cryptography with key pairs generated on the fly for each session

New Firewall Form

The security policy is loaded into the firewall using a SSH connection. Therefore, we need to have SSH access from the FWCloud server to the destination firewall. For this connection the IP address assigned to the interface configured in the firewall will be used.

If your firewall is outside your premises, just use SSH over a VPN connection. In the VPN section you can see how easy is to create a VPN infrastructure using FWCloud-UI.

The firewall settings can be modified at any moment by double clicking the firewall or by right click and selecting Edit firewall from the context menu.

Edit Firewall

By editing the firewall settings you can select which interface, an IP address will use to access the firewall from the FWCloud-UI.

Edit Firewall Form

# New Cluster of Firewalls

To create a new cluster of firewalls just right click and select New cluster from the context menu.

New Cluster

Give a name to the cluster and add as many nodes as your cluster has and save the changes.

New Cluster Form

The cluster settings can by modified at any name by double clicking on the cluster name or just right click and select Edit from the context menu.

Also the setting of any of the nodes can be changed by double clicking over the node name.

# New Folder

For organizational purposes Folders can be created. Inside them you can place your firewalls, clusters of firewalls and even more folders, just drag an drop.

Folders as many other elements in the FWCloud-UI can be collapsed of expanded to better focus in the parts you are working on.

You can rename or remove any folder. In order to remove a folder it has to be empty.

WARNING

In order to remove a folder it needs to be empty

# Firewall Interfaces

# Interfaces

When configuring the firewall or firewalls cluster you have to set up its network interfaces.

You do not need to set up all interfaces, for simplicity you only need to define the ones that are going to be used by the firewall's policy. But in order to be able to install the policy in the firewall, at least one interface needs to be defined. The loopback interface is automatically defined when a new firewall is created. This can be used if FWCloud and the firewall you are configuring are going to be in the same device. To select which interface it will use edit the settings of the firewall. See Firewall .

To add a new interface just right click over Interfaces and select New interface.

New Interface

A form pops up, where you can set up the object name, that is the interface names like eth0 or ens1, a label, the MAC address and a comment. Only the interface name is mandatory. Since this name can be included in the policy please use the real name of your device, if not the policy rules affected will not do we they are intended to do.

New Interface Form

The name of interface matters

The name of the interface can be used in some of yours security policy rules

LABEL your interfaces

If you want something more informative than the name of the interface then use the label field. Example labels: WAN1, WAN2, DMZ, LAN1, LAN2, etc.

In order to simplify this tedious process of firewall interfaces and IP addresses creation, FWCloud has a very powerful feature called Autodiscover . It makes possible to connect to the firewall by means of an SSH connection and automatically get and create in FWCloud all the interfaces and IP addresses that it has.

Once interfaces are added, they can be edited, duplicated or deleted. Right click on the interface name to get the context menu. In this menu there is also a convenient action called Where use. It will head you to the policy rules or objects that use the selected interface. It comes very handy to find a rule.

The interfaces can have configured IP addresses. They are set up by right clicking over the interface and selecting New IP address

New IP Address

New IP Address Form

# Autodiscover

FWCloud has a very handy utility for the automatic discovery of the interfaces and IP addresses a firewall actually has and transfer them into the FWCloud configuration. When your are doing the initial configuration it can save you a lot of time and more importantly it avoids any misspelling in the data.

New interfaces or IPs

You can use the "Autodiscover" feature every time you add new interfaces and/or IPs to your firewall/cluster as an easy way to incorporate them to FWCloud

To access this utility double click on the firewall name and go to the Interfaces/IPs tab in the pop up window.

Edit Firewall Tab 2

Select the filters you want to apply and press Discover button. On the left side the new items discovered according to the filters applied will appear in a tree-shaped representation.

Discover select

If you hover the mouse over an interface name, a pencil icon pencil appears, if you click on it you can modify the properties of the interface or the IP address.

It is possible too form this section to select the IP that will be used for firewall management. If you are in a cluster, you will be able to select the install IP for each cluster's node.

In the "Autodiscover" tree select the items that you want to incorporate in your FWCloud firewall and, when you press the Save changes button, all the changes will be applied to the firewall/cluster you are editing.

Discover selected

A new windows will show a summary of the actions done and the new interfaces and IP addresses are now part of your firewall configuration. You can edit them or do all the actions interfaces allows.

Discover summary

Let's now see the "Autodiscover" utility in action:

As we have explained this utility is quite useful using it on firewall clusters:

# Compile

# Compile One Firewall

The policy rules of the firewall need to be compiled prior to be installed into the firewall. That is, we are managing the firewall policy offline and, when ready, we can upload it to the corresponding firewall or firewalls cluster nodes.

Icons

An orange C at the left of the firewall's name indicates that the firewall policy needs to be compiled

This action will generate all iptables rules and chains needed by the policy specified graphically in the policy panel.

Compile Firewall

, and hit next

Compile Firewall Form

If no problems occur a green message will show the success.

Successfully Compiled

# Compile a Firewall Cluster

If we have a firewall cluster, we do not need to compile the rules for the nodes individually, the rules will be compiled once and installed on all nodes in the cluster.

Compile Cluster Form

# Compile All Firewalls

Instead of compiling all firewalls one by one we can save time and do it all together.

From the menu option all firewalls and clusters within the managed cloud can be compiled.

Compile All

, or using the upper button

Compile All bnt

We will be presente a form where we can select the firewalls and clustes we want to compile

Compile All Firewalls Form

and proceed with the compilation

Successfully Compiled All

See also Compile One Firewall section

# Install

# Install Firewall

The security policy you have defined in FWCloud-UI needs to be installed in the firewall (or nodes that make up a firewalls cluster).

Icons

An orange I at the left side of the firewall's name indicates there are changes in the policy pending to be installed

Install Firewall

Previously to install it you need to compile the policy. This can be done by selecting Compile option in the firewall menu or directly when installing by marking the square box Compile. If the firewall requires policy compilation the checkbox will be checked automatically.

Install Firewall Form

FWCloud will install the policy compilation script in the destination firewall by means of SSH and using the IP address you have setup in the Firewall configuration. This address can be modified editing the firewall settings.

If no interface is set, the firewall will not be reachable and you will get an error.

Error No Interfaces

Before the installation begins you will be asked to supply the SSH username and the password if not saved in the firewall's configuration. For security reasons we recommend not to save it.

Once done you can see the result of the installation processes

Successfully Installed

# Install a Firewall Cluster

If we have a firewall cluster, we do not need to install the rules for the nodes individually, the rules will be compiled once and installed on all nodes in the cluster.

Install Cluster Form

# Install All FWs

Instead of installing all firewalls one by one you can save time and do it all together.

From the menu option all firewalls and clusters within the managed cloud can be installed.

Install All

, or using the upper button

Install All bnt

You can select which firewalls or cluster of firewalls you want to intall

All Install Form

The SSH username and the password of all firewalls will be asked if they are not saved in the firewall's configuration. For security reasons we recommend to not save them.

You can review the result of the installation processes

All Successfully Installed

See also How to install the policy of a Firewall section

# Others actions

# Edit Firewall

You can edit the settings of the firewall by double clicking on the name of the firewall or right click on it and select Edit firewall.

Edit Firewall

A new window with three tabs pops up. The first tab is named "Configuration". Here you can change the name of your firewall, add a description, change the username and the password used to access the firewall when installing the policy or the VPN configurations. Next to this field you have the Discover interfaces button. You can use it to discover the interfaces and IP addresses the firewall has. FWCloud-UI it will connect to the firewall using SHH and it will take you to the next tab showing the network information obtained. And finally in this tab you can select the interface, IP address and port to reach to the firewall.

Edit Firewall Tab 1]

In the second tab, named "Interfaces/IPs", you can see a tree with all the network interfaces and IP addresses of the firewall or cluster of firewalls. If the firewall is being configured now it will only show the loopbak interface until you perform a discover or manually add more interfaces. When hovering the mouse over an interface name, a pencil icon pencil appears, if you click on it you can modify the properties of the interface or the IP address. In this tab there is also a handy utility to discover the the interfaces and IP addresses that actually your firewall has and copy them into the firewall configuration in FWCloud-UI. See Autodiscover section upper in this help.

Edit Firewall Tab 2

In the third tab, "Options" you can set up several firewall options.

Edit Firewall Tab 3

You can decide if you want a stateless or a stateful firewall. A stateful firewall is able to tract the state of the connections, so you can use the conntrack module and the ctsstate option in the secure policy rules. By default when a new firewall is created in FWCloud-UI the option Stateful firewall is set and the traffic belonging to established and related connections is allowed by the security policy. This option can also be set at rule level, visit Edit rule section.

Also you can enable or disable the firewall to forward traffic from one interface to another. By default it is enabled for IP version 4 and disabled for IP version 6.

If you are having problems installing the security policy on the firewall checking the option Activate debugging on policy script is helpful for troubleshooting. The code executed and the output of the policy installation script will be displayed.

Installation debug

With Activate logging in all rules option the traffic of the packets that match the rules of the policy are registered in the syslog file of the firewall. Also a limit of 60 packets per minute is established. The record is prefixed with "RULE ID xxx" where xxx is the number of the rule that is being hit. Logging packets only for an particular rule is also possible, visit Edit rule section.

# Edit a Cluster of Firewalls

You can edit the settings of a cluster of firewalls by double clicking on the name of the cluster or right click on it and select Edit.

A new window with three tabs pops up. Note that now in the "Configuration" tab you can see the nodes that make up the cluster. Here you can change their names, the credentials to access them, and their interfaces, IP addresses and ports. Also you can completely remove a node by pressing the - button, or add more nodes by pressing the + button.

Edit Firewall Cluster Tab 1

The interfaces of the nodes can be discovered by pressing the Magnifying glass button

In the second tab, named "Interfaces/IPs", you can see a tree with all network interfaces and associated IP addresses. You can edit and modify them quite similar as we have seen previously when editing a firewall.

Edit Firewall Clustert Tab 2

However the difference here is that when you press Discover button a new form is presented in order to select from which node of the cluster members you want to perform the discover

Select Clustert Member

In the third tab, "Options", you have the same options you have for individual firewalls explained before.

# Clone Firewall

If you are going to install a new firewall and it will have several similar characteristics and features to another one, you can make a clone of the actual firewall and configure the different parts to fit your new firewall.

Clone Firewall

This will ask you to name the new firewall and will create a copy.

Clone Firewall Form

# Convert to Cluster

In order to have HA you can a have a cluster of firewalls. In FWCloud-UI you will manage the policy rules and the VPN connections for the cluster, although you can set specific rules that only affect to particular node of the cluster. If you have been using a firewall in FWCloud and now it belongs to a cluster you can convert it into a single node cluster.

Convert to Cluster

You will need to confirm the action.

Convert to Cluster Confirmation

It will be converted into a cluster of firewalls with only one node. You can edit the properties of the cluster and add the rest of nodes.

Also a cluster of firewalls can be converted into a firewall if needed.

# Delete Cluster

You can remove a cluster of firewalls from FWCloud-UI by means of the corresponding menu option.

Delete Firewall

It requires confirmation.

Delete Firewall Form

WARNING

If any of the cluster objects (interfaces, IPs, VPNs, etc.) are in use by other firewalls/clusters policy, it will not be possible to remove it and an error message will be displayed

# Delete Firewall

You can remove a firewall from FWCloud-UI from the contextual menu.

Delete Firewall

It requires confirmation.

Delete Firewall Form

WARNING

If any of the cluster objects (interfaces, IPs, VPNs, etc.) are in use by other firewalls/clusters policy, it will not be possible to remove it and an error message will be displayed

# Import / Export

# Import wizard

FWCloud-UI allows importing the secure policy from other firewalls platforms based in Netfilter/iptables. The recommended way to import a firewall is using the Import wizard.

You can invoke this wizard from the contextual menu of "Firewalls/cluster"

Import Wizard Menu

or pressing the upper button Import wizard

Import Wizard Button

This wizard will guide you to all the necessary steps to create a new firewall or cluster of firewall importing the policy from another firewall or cluster, but also importing the necessary objects to FWCloud-UI infrastructure. It will connect to the firewall to be imported using SSH. It is necessary that FWCloud-UI can have root access to the firewall.

Import Wizard Step 1

You need to specify if you are importing from a firewall or from a cluster of firewalls, and write the name of the new firewall or cluster

Import Wizard Step 2 FW

If you are importing from a cluster, you also have to provide the name for any of the nodes of the cluster. The master node name is required. You can add as many nodes as your cluster have pressing the Add node button. After adding a node if you want to remove just press the Remove node button next to its name.

Import Wizard Step 2 cluster

Next you have to provide the IP address, the username and the password to access the firewall you are importing from. If you are importing from a cluster you need to provide the address and the credentials for each node. Remember the user needs to be able to execute privileged commands in the remote firewall to collect the necessary information. And press Discover interfaces button.

Import Wizard Step 3

FWClouds connects to the remote device and gets the name, the MAC and IP address (for IP version 4 and version 6) for each interface it has. By doing this FWCloud-UI is able to create the new interfaces in the new firewall we are creating and use them in the policy rules. You are presented a form with the collected information and you can select with interfaces and IP addresses you want to be included in the new firewall. For more information about this process review Autodiscover section upper in this manual.

Import Wizard Step 3 Autodiscover

Next you need to confirm the action. If you do the wizard will proceed and you can no go back in the wizard or cancel the action, although onces finished you always can delete the new created firewall or cluster if you regret of the import.

Import Wizard Step 3 Confirmation

The next step is a summary of the import and a warning that the security policy should always be reviewed before installing it, as this is an automatic process.

Import Wizard Step 4

If no problems occurs during the process the final form is displayed

Import Wizard Step 5

If you have imported from a firewall or cluster of firewalls created using FWCloud-UI all the visual features that FWCloud-UI has, like the background color of the rules or the grouping of rules, will also be included in the new firewall or cluster.

In the next video you can see all these concepts about Import wizard when importing a firewall:

Now we show another example of using this wizard but this time we are going to import a firewall cluster:

# IPTables-save import

If you now what you are doing you can import the firewall manually. In this case create first the new firewall or cluster and then select iptables-save import from its contextual menu.

You will be presented a form with options to choose the way to import. This form changes dynamically according to the options you go for.

You can paste the output of the command iptables-save command executed in the remote devices. This is useful if you do not have access from the FWCloud-UI computer to the remote firewall.

IPTables-save import form 1

You can upload a file you get as a result of a previous export.

IPTables-save import form 2

And you can make FWCloud to connect to the remote devices as it was in the case of the use of the "Import wizard"

IPTables-save import form 3

In all three cases you need to agree the warning that the current security policy of the firewall or cluster is going to be replaced by the new one.

# IPTables-save export

The entire secure policy can be exported. From the contextual menu of the firewall select Iptables-save export and provide the IP address and credential of the firewall you want to export

IPTables-save export form

You can copy the result to the clipboard in order to quick import it in another FWCloud firewall or download it to a file to save it in a secure place and used later on.

IPTables-save export result

When exporting from FWCloud-UI the visual features are also included, but the generated file can also be used in any iptables-save format compatible firewall.