This article provides an introduction to how Firewall Rules work in an MCP 2.0 environment, including the differences between ACL rules in MCP 1.0 and firewall rules in MCP 2.0. The article provides an explanation of what IP traffic is allowed by default prior to the application of firewall rules.

Note: This article applies only to MCP 2.0 locations. For information on MCP 1.0 capabilities see How to Manage ACL Rules on a Cloud Network

Content / Solution:

Overview of Firewall Rules

In MCP 2.0, Firewall Rules control all traffic within the Cloud Network Domain and between the Cloud Network Domain and other IP addresses. This includes:

  1. Traffic between IP's on VLANs on the Cloud Network Domain and the Public Internet (both IPv4 and IPv6 addresses)
    • This includes Public IPv4 and IPv6 that may be associated with other Cloud Network Domains and Cloud Networks
  2. Traffic between any IP's associated with VLANs deployed on the Cloud Network Domain,
    • This includes both Private IPv4 and the Public IPv6 address space
  3. Traffic between the Cloud Network Domain and any networks connected via a CPNC (Cloud Private Network Connection) that is connected to the Cloud Network Domain
    • If clients establish a NAT on the Cloud Network Domain that maps to a private IP address on the CPNC-connected network, that traffic is also governed by the firewall rules.

Default IP Behavior Prior to Application of Firewall Rules

Default behavior of IP traffic before firewall rule management is:

  • "Inbound" traffic from the Public Internet into the Cloud Network Domain (both IPv4 and IPv6) is denied by default.
    • You must explicitly allow such traffic via firewall rules.
    • Note that on deployment of a Cloud Network Domain, there is also a firewall rule that also explicitly denies inbound IPv6 traffic. See the section below for more details
  • "Outbound" traffic from the Cloud Network Domain to the Public Internet or a CPNC connection (both IPv4 and IPv6) is allowed by default.
    • If a NAT mapping to the source server has been established, outbound IPv4 traffic will exit the Cloud Network appearing to come from the public IPv4 address
      • Otherwise, outbound IPv4 traffic flows out a global SNAT associated with each Network Domain.
    • You may use firewall rules to block such traffic but be aware that blocking outbound IPv4 will adversely affect deployments from Linux OS images as those deployments require outbound IPv4 to successfully complete their customization process.
  • "Intra-VLAN" traffic between IP addresses (private IPv4 or the IPv6 addresses) on the same VLAN is always allowed.
    • Firewall rules do NOT affect traffic within the same VLAN so such communication cannot be prevented
  • "Inter-VLAN" traffic between IP addresses (private IPv4 or the IPv6 addresses) on different VLANs is denied by default.
    • Firewall rules must be added to explicitly allow such traffic.

For additional information on IP routing behavior in MCP 2.0 environments, see:

"Default" Firewall Rules Applied to New Cloud Network Domains

When new Cloud Network Domain is deployed, it comes with a small number of "default" rules that apply in addition to the behavior described above. These rules can be enabled or disabled by users with the correct permissions. For details, see What Firewall Rules are in Place when I Deploy a Cloud Network Domain in MCP 2.0.

Firewall Rule Behavior

Firewall Rules in MCP 2.0 exhibit the following behavior:

  1. Firewall Rules are processed in order. Unlike ACL Rules in MCP 1.0, there are no numeric numbers associated with each firewall rule. Instead, they are simply processed in order. When creating firewall rules, you define a rule's position relative to other firewall rules. For more details, see How to Create a Firewall Rule on a Network Domain
  2. Firewall Rules support two actions. Users should order their rules keeping in mind the behavior associated with these actions
    • Accept Decisively - If traffic meets the criteria defined by the rule, the traffic is accepted and ALL following firewall rules are ignored.
    • Deny - If traffic meets the criteria defined by the rule, the traffic is denied. Any following firewall rules are ignored.
  3. Firewall Rules govern both IPv4 and IPv6 traffic. However, each firewall rule applies to only one protocol. When defining a firewall rule, you will explicitly choose the "IP Version" for the rule to identify which protocol applies to the rule.

Firewall IP Address and Port Lists

Firewall IP Address and Port lists are pre-configured lists of IP addresses or port numbers, respectively. A user can define one or more IP Address Lists and/or Port Lists and can select one or more of these IP Address Lists and Port Lists when creating a Firewall Rule. For an overview, see: Introduction to Firewall IP Address and Port Lists. 

Firewall Rule Statistics (Overlap and Hit Counter)

Firewall Rule Statistics can help you to determine the effectiveness of your Firewall Rules. Since Firewall Rules are applied in the order in which they appear on the Firewall Rule list, a rule that is higher up in the list will be applied to traffic before a rule that is found below it. Due to this hierarchal structure, Firewall Rules can be:

  1. Redundant - Means that a Firewall Rule further up in the hierarchy is already processing traffic that would hit this rule in the same manner, and the redundant rule might no longer be needed. 
  2. Conflicting - Means that the Conflicting rule is attempting to process the same traffic as another, higher up rule in a different way, and likewise, might no longer be needed.

Users should periodically evaluate whether they have Redundant or Conflicting rules that can be deleted, or if they should be moved higher up in the Firewall Rule structure to process the traffic in an expected manner. Please note that a redundant Firewall rule will not be applied to network traffic.

The ability to see how often a Firewall Rule is 'hit' can provide insight into traffic patterns, or other useful information. You can see the total number of 'hits' on a Firewall Rule with the Hit Counter, which also displays the exact date and time of the most recent hit on the Firewall Rule. Every time a Firewall Rule processes traffic, the hit counter will increase and the timestamp will be updated with the most recent hit's date and time. A hit count of 0 indicates that a Firewall Rule has never been hit. A low hit count indicates that the Firewall Rule is hit infrequently, and a high hit count indicates that a Firewall Rule is hit frequently. Any rules that are not being hit might not be needed. It is important to note that if a Firewall Rule is Disabled, the hit counter will stop recording hits.

For more details, see How to View and Manage Firewall Rules and Statistics on a Network Domain