Cloud Firewall

What is Cloud Firewall?

Cloud Firewall, also known as Firewall-as-a-Service, is a security solution that operates in the cloud environment to protect networks and systems from unauthorized access, malicious activities, and cyber threats. Unlike traditional firewalls, cloud firewalls are hosted in the cloud.

How does NordLayer Cloud Firewall work?

NordLayer Cloud Firewall enables organizations to create rules for their Virtual Private Gateways to help protect their hybrid infrastructure and resources against internal and external threats. It also introduces micro-segmentation into their network perimeter.

To better understand how NordLayer Cloud Firewall works, watch this explainer video:

How is NordLayer Cloud Firewall created?

Every Virtual Private Gateway that is configured with at least one Team and at least one Dedicated Server automatically gets a Cloud Firewall created and associated with it automatically.

For easier configuration management, all Cloud Firewalls are auto-named after the Virtual Private Gateway that they are based on. The name of the Firewall can be changed by renaming the Gateway. The two can’t have different naming conventions.

By default, all newly created Firewalls come with a “Disabled” state and have no predefined rules.

What is a Default Firewall Action?

The Default Firewall Action defines how to treat connections and traffic that don’t match a specific Firewall Rule. The default action of every NordLayer Firewall is pre-set to “Allow” in order to minimize the impact on end users should it be accidentally enabled with no rules.

NordLayer Cloud Firewall can do one of the following two default actions:

• Allow: Firewall allows all network traffic by default unless a rule prohibits the traffic.
• Deny: Firewall disallows all network traffic by default unless a rule permits the traffic.

The Default Firewall Action (Allow/Deny) plays together with the Firewall Rule Action (Allow/Deny) so that Organization Admins can configure a safe perimeter within their network.

Default Firewall Action can be changed by clicking on Change default action within the firewall.

How to use NordLayer’s Cloud Firewall and create new Firewall rules?

Enabling a Cloud Firewall with no predefined policies may serve little to no value to your Organization’s security posture. Therefore, we suggest firstly planning and documenting your Organization’s security policy: Identify members, hybrid resources and services you wish to protect with a Cloud Firewall, configure intricate Firewall rules and only then enable the firewall on a Gateway level.

To create and configure Cloud Firewall rules for your Virtual Private Gateway of choice:

1. Go to Control Panel → Network → Firewalls;
2. Click on the Firewall named after the Virtual Private Gateway you wish to configure;
3. Click on Add new rule.

Creating new firewall rules

Firewall rules are created using this simple 4 step process:

1. Name the rule (something that explains to you what this rule is intended to do) and choose the Default Action. A firewall rule can have one of the following two actions:

• Allow: Firewall permits traffic and stops further rule evaluation;
• Deny: Firewall disallows traffic and stops further rule evaluation.

2. Choose traffic Source for the rule. The Source can be either:

• Any traffic from any member within Teams with access to the Gateway;
• Traffic from specific Teams and/or Members with access to the Gateway

3. Choose a traffic Destination to which the rule will apply. The Destination can be either:

• Any network address that the member is trying to access;
• A custom address (a single IP address, IP address list, Subnet). Here admins can choose from predefined addresses or create new address entries.
• A set of predefined and custom services.

4. Select Services (Protocols and Ports) to Allow/Deny traffic for chosen destinations. Services can be either:

• Protocols and ports predefined by NordLayer (choose from the list);
• A custom service (create custom TCP/UDP protocol and Port set). Here admins can choose from predefined services or create new service entries;
• A set of predefined and custom services.

5. Click “Add new rule”.

Once a new firewall rule is created it is added to the unapplied rule changes list. Every new rule is automatically added to the top of the list as a priority rule. Use drag and drop should you wish to deprioritize the new rule within the rule table.

Firewall rule hierarchy and statuses

Firewall rules have a priority order that determines the order in which the rules are applied to network traffic. When the firewall matches a packet against the first rule that meets the defined criteria it ignores subsequent rules.

Firewall rules are shown as a list from #1 to #20 within the Firewall page and are applied from top to bottom (highest priority to lowest priority). Every new rule is automatically added to the top of the list as a #1 priority rule. Rule priority can be adjusted by simply dragging them down or up within the list.

Rule can have one out of three statuses:

• Enabled: Rule is active and is enforced on the Gateway when enabling the Firewall;
• Disabled: Rule is inactive and is skipped when enforcing rules on the Gateway;
• Deleted: Rule has been deleted and will be removed from the list upon clicking on Apply rule changes button.

Applying rule and firewall changes

Every action or edit made within the firewall is counted as a change. Such actions include:

• Enabling and disabling the Firewall;
• Changing the Default Firewall Action;
• Adding new rules, disabling and removing old Firewall rules;
• Any changes within the 4 entities of existing firewall rules (Firewall Name/Action, Source, Destination, Services);
• Any changes within the rule priority.

By clicking on Apply rule changes, the adjusted firewall configuration is applied to the Gateway and all members with access to the Gateway immediately receive the new firewall configuration.

The firewall process rule changes whilst being in a Applying changes state, during which no rule edits are allowed as the UI remains grayed out until Firewall returns to the Enabled state.

The time required to apply rule and firewall changes varies from a few seconds to a few minutes, depending on rule complexity and firewall state.

Enabling Cloud Firewall

Enable the Firewall and apply all of its configuration to members with access to the Gateway for which the Firewall is being configured.

To enable the Firewall:

1. Go to Firewall you wish to enable → Press Enable firewall;
2. An action to enable the firewall is added to the firewall changes list;
3. Press Apply rule changes;
4. Watch as the firewall goes into Applying changes state and returns back to Enabled state after processing all the changes and applying them to members;
5. Firewall is enabled and all rules in the rule list are applied. All changes made along the way are logged in the Control Panel’s Activity section.

Disabling Cloud Firewall

Should you wish to disable your Cloud Firewall, follow these steps:

1. Go to Firewall you wish to enable → Press Disable firewall;
2. An action to disable the firewall is added to the firewall changes list;
3. Press Apply rule changes;
4. Watch as the firewall goes into Applying changes state and moves to Disabled state after disabling the firewall rule configuration to all members with access to the Gateway.

Centrally managing addresses and services

All custom destination addresses and services (protocol/port lists) created and used for Cloud Firewall rules can be centrally managed. Should you need to preconfigure destinations or update existing ones, do it all in one go, instead of updating every single firewall rule used.

To centrally manage addresses and services:

1. Go to Control Panel → Network → Firewalls;
2. Click on Manage addresses or Manage services based on the object you need to update;
   
3. Pick an object you need to update and click on the pencil icon.
   
4. After updating the address/service, click Save changes then you will see all the rules that will receive the new object configuration;
5. Make sure these are the rules you intended to update and press Save changes button to confirm the update;
6. All rules within all firewalls using said address/service will be updated at once within seconds of saving the change.

Managing Gateways with Cloud Firewall configuration

Managing Virtual Private Gateways with Cloud Firewall enabled is almost no different from managing a regular Virtual Private Gateway.

Add additional Teams or Dedicated Servers to the gateway with no hurdles: Firewall configuration will automatically apply to all items added to the Gateway.

When inviting new members to NordLayer, make sure to add them to appropriate Teams. That way new members will automatically be able to see all Gateways that their Team is in and Firewall configurations will be auto-applied to them upon connection to the Gateway.

If an Organization removes a singular member or a Team from NordLayer and the Firewall has a rule configured specifically for said member or a Team, the rule will be automatically disabled and the missing object will be changed to a default entry of “Any”.

Cloud Firewall configuration guidelines

• One Virtual Private Gateway can only have one firewall enabled at once.
• Virtual Private Gateways with enabled firewalls cannot be removed.
• Dedicated Servers that are associated with the firewall cannot be removed from the Gateway.
• Firewalls with existing rules cannot be duplicated or assigned to other gateways.
• Each firewall can accommodate 20 rules, but only 10 can be enabled at once.
• Each firewall rule can accommodate up to 20 custom destination addresses and services.
• Custom destination addresses and services cannot be removed while in use within the firewall.
• When using NordLayer’s DPI Lite and Cloud Firewall rules with Custom Network Services, Firewall rules will have higher priority than standalone DPI Lite.
• NordLayer Cloud Firewall is currently only available for NordLayer desktop and mobile agents and is not compatible with NordLayer browser extensions.

Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.