Cloud Firewall
  • 9 Minutes to read

    Cloud Firewall


      Article summary

      What is Cloud Firewall?

      Cloud Firewall, also known as Firewall-as-a-Service, is a security solution that operates in the cloud environment to protect networks and systems from unauthorized access, malicious activities, and cyber threats. Unlike traditional firewalls, cloud firewalls are hosted in the cloud.

      How does NordLayer Cloud Firewall work?

      NordLayer Cloud Firewall enables organizations to create rules for their Virtual Private Gateways to help protect their hybrid infrastructure and resources against internal and external threats. It also introduces micro-segmentation into their network perimeter.

      To better understand how NordLayer Cloud Firewall works, watch this explainer video:

      Important: NordLayer Cloud Firewall is currently only available for NordLayer desktop and mobile agents and is not compatible with NordLayer browser extensions.

      How is NordLayer Cloud Firewall created?

      Every Virtual Private Gateway that is configured with at least one Team and at least one Dedicated Server automatically gets a Cloud Firewall created and associated with it automatically.

      For easier configuration management, all Cloud Firewalls are auto-named after the Virtual Private Gateway that they are based on. The name of the Firewall can be changed by renaming the Gateway. The two can’t have different naming conventions.

      By default, all newly created Firewalls come with a “Disabled” state and have no predefined rules.

      Note: If the Virtual Private Gateway that the Firewall is based on is deleted, the Firewall is also removed. All rules that may have been configured and used on the Firewall are lost when the Gateway it is based on is deleted.

      What is a Default Firewall Action?

      The Default Firewall Action defines how to treat connections and traffic that don’t match a specific Firewall Rule. The default action of every NordLayer Firewall is pre-set to “Allow” in order to minimize the impact on end users should it be accidentally enabled with no rules.

      Imporant: It is far more effective and safer to deny all traffic with a firewall default state Deny and only allow traffic that you can identify and exclusively let through by the use of Allow rules.

      NordLayer Cloud Firewall can do one of the following two default actions:

      • Allow: Firewall allows all network traffic by default unless a rule prohibits the traffic.
      • Deny: Firewall disallows all network traffic by default unless a rule permits the traffic.

      The Default Firewall Action (Allow/Deny) plays together with the Firewall Rule Action (Allow/Deny) so that Organization Admins can configure a safe perimeter within their network.

      Default Firewall Action can be changed by clicking on Change default action within the firewall.

      Change-default-action

      How to use NordLayer’s Cloud Firewall and create new Firewall rules?

      Enabling a Cloud Firewall with no predefined policies may serve little to no value to your Organization’s security posture. Therefore, we suggest firstly planning and documenting your Organization’s security policy: Identify members, hybrid resources and services you wish to protect with a Cloud Firewall, configure intricate Firewall rules and only then enable the firewall on a Gateway level.

      To create and configure Cloud Firewall rules for your Virtual Private Gateway of choice:

      1. Go to Control PanelNetworkFirewalls;
      2. Click on the Firewall named after the Virtual Private Gateway you wish to configure;
      3. Click on Add new rule.

      Add-new-rule

      Creating new firewall rules

      Firewall rules are created using this simple 4 step process:

      1. Name the rule (something that explains to you what this rule is intended to do) and choose the Default Action. A firewall rule can have one of the following two actions:
      • Allow: Firewall permits traffic and stops further rule evaluation;
      • Deny: Firewall disallows traffic and stops further rule evaluation.

      Name-and-Action

      1. Choose traffic Source for the rule. The Source can be either:
      • Any traffic from any member within Teams with access to the Gateway;
      • Traffic from specific Teams and/or Members with access to the Gateway

      Rule-source

      1. Choose a traffic Destination to which the rule will apply. The Destination can be either:
      • Any network address that the member is trying to access;
      • A custom address (a single IP address, IP address list, Subnet). Here admins can choose from predefined addresses or create new address entries.
      • A set of predefined and custom services.

      Destination

      1. Select Services (Protocols and Ports) to Allow/Deny traffic for chosen destinations. Services can be either:
      • Protocols and ports predefined by NordLayer (choose from the list);
      • A custom service (create custom TCP/UDP protocol and Port set). Here admins can choose from predefined services or create new service entries;
      • A set of predefined and custom services.

      Manage-services

      Important: The maximum number of Services added to a single rule is 20.

      1. Click “Add new rule”.

      Services

      Once a new firewall rule is created it is added to the unapplied rule changes list. Every new rule is automatically added to the top of the list as a priority rule. Use drag and drop should you wish to deprioritize the new rule within the rule table.

      Firewall rule hierarchy and statuses

      Firewall rules have a priority order that determines the order in which the rules are applied to network traffic. When the firewall matches a packet against the first rule that meets the defined criteria it ignores subsequent rules.

      Firewall rules are shown as a list from #1 to #20 within the Firewall page and are applied from top to bottom (highest priority to lowest priority). Every new rule is automatically added to the top of the list as a #1 priority rule. Rule priority can be adjusted by simply dragging them down or up within the list.

      Rule can have one out of three statuses:

      • Enabled: Rule is active and is enforced on the Gateway when enabling the Firewall;
      • Disabled: Rule is inactive and is skipped when enforcing rules on the Gateway;
      • Deleted: Rule has been deleted and will be removed from the list upon clicking on Apply rule changes button.

      Note: By default NordLayer Cloud Firewall allows up to 10 rules to be active at a time per Gateway by default. You can create up to 20 firewall rules in total (10 active and 10 inactive) for easier management and prioritization.

      If you need more than 10 active rules (up to 50), contact customer support or your Account Manager.

      Applying rule and firewall changes

      Every action or edit made within the firewall is counted as a change. Such actions include:

      • Enabling and disabling the Firewall;
      • Changing the Default Firewall Action;
      • Adding new rules, disabling and removing old Firewall rules;
      • Any changes within the 4 entities of existing firewall rules (Firewall Name/Action, Source, Destination, Services);
      • Any changes within the rule priority.

      By clicking on Apply rule changes, the adjusted firewall configuration is applied to the Gateway and all members with access to the Gateway immediately receive the new firewall configuration.

      The firewall process rule changes whilst being in a Applying changes state, during which no rule edits are allowed as the UI remains grayed out until Firewall returns to the Enabled state.

      The time required to apply rule and firewall changes varies from a few seconds to a few minutes, depending on rule complexity and firewall state.

      Note: Enabling and disabling the firewall may take a few minutes, while other changes, such as adding new rules or adjusting existing firewall rules usually are processed within seconds.

      Enabling Cloud Firewall

      Enable the Firewall and apply all of its configuration to members with access to the Gateway for which the Firewall is being configured.

      To enable the Firewall:

      1. Go to Firewall you wish to enable → Press Enable firewall;
      2. An action to enable the firewall is added to the firewall changes list;
      3. Press Apply rule changes;
      4. Watch as the firewall goes into Applying changes state and returns back to Enabled state after processing all the changes and applying them to members;
      5. Firewall is enabled and all rules in the rule list are applied. All changes made along the way are logged in the Control Panel’s Activity section.

      Disabling Cloud Firewall

      Should you wish to disable your Cloud Firewall, follow these steps:

      1. Go to Firewall you wish to enable → Press Disable firewall;
      2. An action to disable the firewall is added to the firewall changes list;
      3. Press Apply rule changes;
      4. Watch as the firewall goes into Applying changes state and moves to Disabled state after disabling the firewall rule configuration to all members with access to the Gateway.

      Centrally managing addresses and services

      All custom destination addresses and services (protocol/port lists) created and used for Cloud Firewall rules can be centrally managed. Should you need to preconfigure destinations or update existing ones, do it all in one go, instead of updating every single firewall rule used.

      To centrally manage addresses and services:

      1. Go to Control PanelNetworkFirewalls;
      2. Click on Manage addresses or Manage services based on the object you need to update;
        Firewall-list
      3. Pick an object you need to update and click on the pencil icon.
        Manage-addresses
      4. After updating the address/service, click Save changes then you will see all the rules that will receive the new object configuration;
      5. Make sure these are the rules you intended to update and press Save changes button to confirm the update;
      6. All rules within all firewalls using said address/service will be updated at once within seconds of saving the change.

      Note: Custom addresses and services can only be centrally edited/updated. If you wish to completely remove an entry, make sure to either disable all the firewall rules that use it or remove it from all rules one by one. Entries in use by firewall rules cannot be deleted while in use.

      Managing Gateways with Cloud Firewall configuration

      Managing Virtual Private Gateways with Cloud Firewall enabled is almost no different from managing a regular Virtual Private Gateway.

      Add additional Teams or Dedicated Servers to the gateway with no hurdles: Firewall configuration will automatically apply to all items added to the Gateway.

      When inviting new members to NordLayer, make sure to add them to appropriate Teams. That way new members will automatically be able to see all Gateways that their Team is in and Firewall configurations will be auto-applied to them upon connection to the Gateway.

      If an Organization removes a singular member or a Team from NordLayer and the Firewall has a rule configured specifically for said member or a Team, the rule will be automatically disabled and the missing object will be changed to a default entry of “Any”.

      Note:
      • Gateways with enabled firewalls cannot be removed. If you wish to completely remove a Gateway, first disable the Firewall that is associated with it.
      • Dedicated Servers that are associated with the firewall cannot be removed from the Gateway. Please disable the firewall first, then remove the server.

      Cloud Firewall configuration guidelines

      • One Virtual Private Gateway can only have one firewall enabled at once.
      • Virtual Private Gateways with enabled firewalls cannot be removed.
      • Dedicated Servers that are associated with the firewall cannot be removed from the Gateway.
      • Firewalls with existing rules cannot be duplicated or assigned to other gateways.
      • Each firewall can accommodate 20 rules, but only 10 can be enabled at once.
      • Each firewall rule can accommodate up to 20 custom destination addresses and services.
      • Custom destination addresses and services cannot be removed while in use within the firewall.
      • When using NordLayer’s DPI Lite and Cloud Firewall rules with Custom Network Services, Firewall rules will have higher priority than standalone DPI Lite.
      • NordLayer Cloud Firewall is currently only available for NordLayer desktop and mobile agents and is not compatible with NordLayer browser extensions.

      Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.


      Was this article helpful?