Introduction to Firewall IP Address and Port Lists

Content / Solution:

Overview

When creating Firewall Rules in MCP 2.0 locations, users can specify as the Source or Destination a single IP address, a range of IP addresses, or 'any' IP address and a single port, a range of ports, or 'any' port (when the protocol is TCP, UDP, or ICMP).  Although these options are sufficient when adding a single server to a Firewall Rule, it can be both difficult and time-consuming to add a multitude of servers to one or more Firewall Rules at a time. In order to mitigate this limitation, CloudControl allows you to create and apply IP Address Lists and Port Lists – both of which greatly expand the range of values that can be provided as the Source or Destination of a Firewall Rule.

As their names imply, an IP Address List is simply a pre-configured list of IP addresses, while a Port List is a collection of port numbers.  An IP Address List can include IP addresses, contiguous IP address ranges, and other IP Address Lists.  A Port List can contain individual ports, port ranges, and other Port Lists.  By using IP Address Lists and Port Lists, users have the ability to reference a multitude of servers or ports in multiple Firewall Rules. A user can define one or more IP Address Lists and Port Lists and can select one or more of these IP Address Lists and Port Lists when creating a Firewall Rule.  (Technically, a user can specify any combination of inline addresses, ports, IP Address Lists, and Port Lists when creating a Firewall Rule.)  By allowing the selection of pre-defined IP Address Lists and Port Lists when creating a Firewall Rule, a user can apply the parameters of the rule to a much wider range of IP addresses and ports, thereby eliminating the need to create multiple Firewall Rules when the only difference between them is the Source or Destination.

These list functions are especially useful in dynamic Cloud environments where servers are regularly being added or removed.  For example, consider a user that has a policy of six separate Firewall Rules that they want to apply to all web servers on their Network Domain.  Unless they can refer to a range of IP addresses that covers all web servers, each time they add a web server they will have to create six separate firewall rules to enforce the policy on the new server.  If they have 10 web servers, this might require 60 separate firewall rules! Similarly, each time they delete a web server, they will have six firewall rules associated with the web server to remove. By creating an IP Address List of web servers, they can create six firewall rules that reference the Web Server IP Address List. When new web servers are added or removed, they can simply be added and removed from the IP Address List and all of the firewall rules will inherit the change. Port Lists work the same way: users can define a list of ports they want to allow or deny, and reference that Port List in their firewall rules. If ports need to be added or removed, the change can be made in the Port List and all firewall rules that reference the Port List are automatically updated. 

Availability and Details

• Port and IP Address Lists can be created by Primary Administrators or any user with a "Network" role
• IP Address Lists and Port Lists are supported in all MCP 2.0 locations. The function is not supported for MCP 1.0 firewalls.
• IP Address Lists and Port Lists are defined at the Network Domain level and apply only within that Network domain - you cannot create a list that applies to multiple Network Domains.
• Because firewall rules must apply specifically to either IPv4 or IPv6 addresses, IP Address Lists must consist entirely of either IPv4 or IPv6 members. 
• One level of "nesting" of IP Address Lists and Port Lists is allowed, meaning that a list can include another list as a member - but only if the list being added as a member does not contain a list itself.
  • Example: User creates an IP Address List called "Web Servers" that contains 10.0.1.5 and 10.0.1.37. The user can create another IP Address List (I.e. "All Servers") that contains the "Web Servers" list as a member. In this manner, any firewall rule referencing "All Servers" will apply to all members of the "Web Servers" list. However, this "All Servers" list cannot be made a member of another IP Address List since "All Severs" already contains the "Web Servers" list as a member.
  • The system will prevent you from any action which will create more than one nest. So in the above example, if you make "Web Servers" list a member of "All Servers" list, the system will not allow you to add a different IP Address List to the "Web Servers" list since that would create two levels of nesting.
• A maximum of 1,000 IP Address Lists and 1,000 Port Lists can be created per Network Domain
• Each IP Address List or Port List can contain a maximum of 1,000 members
• You can download IP Address Lists and Port Lists as a .csv file. See How to View and Manage Firewall Rules and Statistics on a Network Domain

Related Articles

• How to View and Manage Firewall IP Address Lists on a Network Domain
• How to View and Manage Firewall Port Lists on a Network Domain
• How to Create a Firewall Rule on a Network Domain
  
• How to View and Manage Firewall Rules and Statistics on a Network Domain