Description

This article describes how to create a Firewall Rule on a Network Domain in a MCP 2.0 Data Center location

You can also import bulk Firewall Rules from a .csv file. For instructions, see How to Import Bulk Firewall Rules from a .csv File

Prerequisites:

  1. This article applies only to MCP 2.0 Data Center locations. For details on MCP 1.0 equivalent functions, see How to Manage ACL Rules on a Cloud Network
  2. Only the Primary Administrator or a Sub-Admin with the Network role can create Firewall Rules on a Network Domain.
  3. This article assumes you understand the behavior of Firewall Rules in an MCP 2.0 Data Center location. For details on this behavior, see: Introduction to Firewall Rules for Cloud Network Domains in MCP 2.0
  4. You can have a maximum of 1,000 firewall rules per Network Domain

Content / Solution:

  1. From the Home page, select the Data Center where the Network Domain on which you want to create a Firewall Rule is deployed:


  2. The Data Center dashboard will be displayed. Select the Network Domain on which you want to create Firewall Rule:
     
     

  3. The Network Domain dashboard will be displayed. Click on the Firewall Rules tab:

    Note: The system has several default Firewall Rules in place. Note that these default Firewall Rules can be enabled or disabled, but cannot be deleted.
     

  4. Click on the Actions button and then select Add Firewall Rule from the drop-down menu:


  5. The Add Firewall Rule dialog will be displayed:


  6. Fill out the Add Firewall Rule form with the desired information:

    • Firewall Rule NameDescriptive name for the Firewall Rule. Name has a maximum length of 75 characters.
      • Note: The Name must be alphanumeric with the following exceptions permitted: '_' (underscore) and '.' (period/full stop). Must begin with a letter or '_' (underscore). Cannot contain spaces. Rule name cannot start with 'CCDEFAULT.' and must be unique within the Network Domain.
    • Action - Choose what action the Firewall Rule should take (either Accept Decisively or Drop). Note the Drop action is a "silent" drop - the system will not reject packets or send a TCP reset
    • State - Set the State of the Firewall Rule (either enabled  or disabled)
    • IP Version - Choose between IPv4 or IPv6. 
      • Note: It is NOT possible to select Any for both the Source and Destination if the selected IP Version is IPv6. It is acceptable for either Source or Destination to be Any with an IP Version of IPv6.
    • Protocol - Choose the protocol associated with the Firewall rule. You can create rules associated with IP, ICMP, TCP, or UDP protocols. 
    • Source Details - Choose the source IP addresses covered by the rule. Choose from Any, Host, Subnet or Address List.
      • Note: The system will provide suggestions based on Name or IP Address
      • Note: If the Protocol is IP or ICMP you can not set the Port. 
    • Source PortChoose the port, range of ports (including any/all), or Port List to be associated with the rule if the protocol is TCP, UDP.  All IP and ICMP protocol rules apply to 'Any' ports only.
    • Destination Details - Choose the destination IP addresses covered by the rule, with the same options as Source IP addresses. 
      • Note: The system will provide suggestions based on Name or IP Address.
      • Note: If the Protocol is IP or ICMP you can not choose the Port.
    • Destination Port - Choose the port, range of ports (including any/all), or Port List to be associated with the rule if the protocol is TCP, UDP.  All IP and ICMP protocol rules apply to 'Any' ports only.
    • Placement - Choose the position of the Firewall rule within the rule list. Firewall rules are followed sequentially - if there is a contradiction in the rules (i.e. if one rule says permit a certain type of traffic while another rule would deny that traffic), the rule with the lower number takes priority.
       
  7. Once the form has been filled out, click the Create button:

    Note: Exposing sensitive ports to the internet is a security risk and therefore not recommended. 

  8. The system will display a success message:

     

  9. The system will add the Firewall Rule and the UI will be updated to reflect the change:

    Note: If you do create a Firewall Rule that exposes sensitive ports, you will see an additional warning after the Firewall Rule has been created:

    Hovering your mouse over the  sensitive port icon will display a tooltip with further information: