印刷

VeloCloud SD-WAN 5.2 - Administration Guide - Firewall Overview 印刷

Firewall Overview

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Orchestrator supports configuration of Stateless, Stateful, and Enhanced Firewall Services (EFS) rules for Profiles and Edges.

Stateful Firewall

A Stateful firewall monitors and tracks the operating state and characteristics of every network connection coming through the firewall and uses this information to determine which network packets to allow through the firewall. The Stateful firewalls build a state table and use this table to allow only returning traffic from connections currently listed in the state table. After a connection is removed from the state table, no traffic from the external device of this connection is permitted.

The Stateful firewall feature provides the following benefits:
  • Prevent attacks such as denial of service (DoS) and spoofing
  • More robust logging
  • Improved network security

The main differences between a Stateful firewall and a Stateless firewall are:

  • Matching is directional. For example, you can allow hosts on VLAN 1 to initiate a TCP session with hosts on VLAN 2 but deny the reverse. Stateless firewalls translate into simple ACLs (Access lists) which do not allow for this kind of granular control.
  • A stateful firewall is session aware. Using TCP's 3-way handshake as an example, a stateful firewall will not allow a SYN-ACK or an ACK to initiate a new session. It must start with a SYN, and all other packets in the TCP session must also follow the protocol correctly or the firewall will drop them. A stateless firewall has no concept of a session and instead filters packets based purely on a packet by packet, individual basis.
  • A stateful firewall enforces symmetric routing. For instance, it is very common for asymmetric routing to happen in a Arista network where traffic enters the network through one Hub but exits through another. Leveraging third-party routing, the packet is still able to reach its destination. With a stateful firewall, such traffic would be dropped.
  • Stateful firewall rules get rechecked against existing flows after a configuration change. So, if an existing flow has already been accepted, and you configure the stateful firewall to now drop those packets, the firewall will recheck the flow against the new rule set and then drop it. For those scenarios where an "allow" is changed to "drop" or "reject", the pre-existing flows will time out and a firewall log will be generated for the session close.
The requirements to use the Stateful Firewall are:
  • The VeloCloud SD-WAN Edge must be using Release 3.4.0 or later.
  • By default, the Stateful Firewall feature is a customer capability activated for new customers on an VeloCloud Orchestrator using 3.4.0 or later releases. Customers created on a 3.x Orchestrator will need assistance from a Partner or VeloCloud SD-WAN Support to activate this feature.
  • The VeloCloud Orchestrator allows the enterprise user to activate or deactivate the Stateful Firewall feature at the Profile and Edge level from the respective Firewall page. To deactivate the Stateful Firewall feature for an enterprise, contact an Operator with Super User permission.
    Note: Asymmetric routing is not supported in Stateful Firewall activated Edges.

Enhanced Firewall Services

Enhanced Firewall Services (EFS) provide additional EFS security functionalities on VeloCloud SD-WAN Edges. The Security powered EFS functionality supports Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) services on VeloCloud SD-WAN Edges. The Edge Enhanced Firewall Services (EFS) protect Edge traffic from intrusions across Branch to Branch, Branch to Hub, or Branch to Internet traffic patterns.

Currently, SD-WAN Edge Firewall provides stateful inspection along with application identification without additional EFS security features. While the stateful Firewall SD-WAN Edge provides security, it is not adequate and creates a gap in providing EFS security integrated natively with VeloCloud SD-WAN. Edge EFS address these security gaps and offers enhanced threat protection natively on the SD-WAN Edge in conjunction with VeloCloud SD-WAN.

Customer can configure and manage the Stateful Firewall and EFS using the Firewall functionality in VeloCloud Orchestrator. To configure firewall settings at the Profile and Edge level, see:

Firewall Logs

With the Stateful Firewall and Enhanced Firewall Services (EFS) features activated, more information can be reported in the firewall logs. The firewall logs will contain the following fields: Time, Segment, Edge, Action, Interface, Protocol, Source IP, Source Port, Destination IP, Destination Port, Extension Headers, Rule, Reason, Bytes Received, Bytes Sent, Duration, Application, Destination Domain, Destination Name, Session ID, Signature, IPS Alert, IDS Alert, Signature ID, Category, Attack Source, Attack Target, and Severity.
Note: Not all fields will be populated for all firewall logs. For example, Reason, Bytes Received/Sent and Duration are fields included in logs when sessions are closed. Signature, IPS Alert, IDS Alert, Signature ID, Category, Attack Source, Attach Target, and Severity are populated only for EFS alerts, not for firewall logs.
Firewall logs are generated:
  • When a flow is created (on the condition that the flow is accepted)
  • When the flow is closed
  • When a new flow is denied
  • When an existing flow is updated (due to a firewall configuration change)
You can view the firewall logs by using the following firewall features:
  • Hosted Firewall Logging - Allows you to turn ON or OFF the Firewall Logging feature at the Enterprise Edge level to send Firewall logs to the Orchestrator.
    Note: Starting with the 5.4.0 release, for Hosted Orchestrators, the Enable Firewall Logging to Orchestrator capability is activated by default for new and existing Enterprises. At the Edge level, customers must activate Hosted Firewall Logging to send Firewall logs from the Edge to the Orchestrator. For On-Prem Orchestrators, customers must contact their Operators to activate the Enable Firewall Logging to Orchestrator capability.

    You can view the Edge Firewall logs in Orchestrator from the Monitor > Firewall Logs page. For more information, see Monitor Firewall Logs.

  • Syslog Forwarding - Allows you to view the logs by sending the logs originating from enterprise SD-WAN Edge to one or more configured remote servers. By default, the Syslog Forwarding feature is deactivated for an enterprise. To forward the logs to remote Syslog collectors, you must:
    1. Activate Syslog Forwarding feature under Configure > Edges/Profile > Firewall tab.
    2. Configure a Syslog collector under Configure > Edges/Profile > Device > Syslog Settings . For steps on how to configure Syslog collector details per segment in the Orchestrator, see Configure Syslog Settings for Profiles.
Note: For Edge versions 5.2.0 and above, Firewall Logging is not dependent on Syslog Forwarding configuration.

Configure Profile Firewall

A Firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Orchestrator supports configuration of stateless and stateful Firewalls for Profiles and Edges.

For additional information on Firewall, see Firewall Overview.

Configure Profile Firewall

To configure Profile Firewall:
  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles . The Profiles page displays the existing Profiles.
  2. To configure a Profile Firewall, select the link to the Profile and select the Firewall tab. Alternatively, you can select the View link in the Firewall column of the Profile.
  3. The Firewall page appears.
    Figure 1. Configuring a Profile Firewall
  4. From the Firewall tab, you can configure the following Edge Security and Firewall capabilities:
    Table 1. Edge Security and Firewall Parameters
    Field Description
    Edge Access Allows you to configure a Profile for Edge access. You must make sure to select the appropriate option for Support access, Console access, USB port access, SNMP access, and Local Web UI access under Firewall settings to make the Edge more secure. This will prevent any malicious user from accessing the Edge. By default, Support access, Console access, SNMP access, and Local Web UI access are deactivated for security reasons. For additional information, see the section Configure Edge Access.
    Firewall Status Allows you to turn ON or OFF the Firewall rules, configure Firewall settings, and in-bound ACLs for all Edges associated with the Profile.
    Note: By default, this feature is activated. You can deactivate the Firewall function for Profiles by turning the Firewall Status to OFF.
    Note: At the Edge level, once you override the inherited Firewall Status settings, the Edge will stop inheriting any further Firewall Status setting changes from the associated Profile even when the setting is changed at the associated Profile level or when assigned to a different Profile. However, if the Firewall Status setting is turned off in the Profile, this setting will be inherited by the Edge, and it will be deactivated even if the Firewall Status is enabled on the Edge.
    Enhanced Firewall Services Allows you to turn ON or OFF the Enhanced Firewall Services (EFS) feature for all Edges associated with the Profile.
    Note: By default, this feature is not activated.

    For additional information, see Configure Enhanced Firewall Services.
    Firewall Logging Allows you to turn ON or OFF the Firewall Logging feature for all Edges associated with the Profile. By default, Edges cannot send their Firewalls logs to Orchestrator.
    Note: For Firewall Logging to Orchestrator to work make sure the SD-WAN Edges are running on version 5.2 and above.
    Note: For an Edge to send the Firewall logs to Orchestrator, ensure that the “ Enable Firewall Logging to Orchestrator” customer capability is activated at the Customer level under “Global Settings” UI page. Customers must contact your Operator if you would want the Firewall Logging feature to be activated.

    You can view the Edge Firewall logs in Orchestrator from the Monitor > Firewall Logs page. For additional information, see Monitor Firewall Logs.
    Syslog Forwarding By default, the Syslog Forwarding feature is deactivated for an Enterprise. To collect VeloCloud Orchestrator bound events and Firewall logs originating from Enterprise SD-WAN Edge to one or more centralized remote Syslog collectors (Servers), an Enterprise user must activate this feature at the Edge/Profile level. To configure Syslog collector details per segment in the VeloCloud Orchestrator, see Configure Syslog Settings for Profiles.
    Note: You can view both IPv4 and IPv6 Firewall logging details in a IPv4-based Syslog Server.
    Firewall Rules The existing pre-defined Firewall rules are displayed. You can select + NEW RULE to create a new Firewall rule. For additional information, see Configure Firewall Rule. To delete existing Firewall rules, select the checkboxes prior to the rules and select DELETE. To duplicate a Firewall rule, select the rule and select CLONE. While creating or updating a Firewall rule, you can add comments about the rule in the New Comment field in the Comment History tab. A maximum of 50 characters is allowed and you can add any number of comments for the same rule.
    Stateful Firewall By default, the Stateful Firewall feature is deactivated for an Enterprise. VeloCloud Orchestrator allows you to set session timeout for established and non-established TCP flows, UDP flows, and other flows at the Profile level. Optionally, you can also override the Stateful firewall settings at the Edge level. For additional information, see the topic Configure Stateful Firewall Settings.
    Network & Flood Protection To secure all connection attempts in an Enterprise network, VeloCloud Orchestrator allows you to configure Network and Flood Protection settings at the Profile and Edge levels, to protect against the various types of attacks. For additional information, see the topic Configure Network & Flood Protection Settings.

Configure Edge Access

To configure Edge access for Profiles, perform the following steps:
  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles > Firewall .
  2. Under Edge Security, select the Edge Access expand icon.
    Figure 2. Configuring Edge Access
  3. You can configure one or more of the following Edge Access options, and select Save Changes:
    Table 2. Edge Access Parameters
    Field Description
    Log Edge Access When activated, all access to the Edge is logged, including successful and failed attempts.
    Support Access Select Allow the following IPs if you want to explicitly specify the IP addresses from where you can SSH into this Edge. You can enter both IPv4 and IPv6 addresses separated by comma (,).

    By default, Deny All is selected.
    Console Access Select Allow to activate Edge access through Physical Console (Serial Port or Video Graphics Array (VGA) Port). By default, Deny is selected and Console login is deactivated after Edge activation.
    Note: Whenever the console access setting is changed from Allow to Deny or vice-versa, the Edge must be rebooted manually.
    Enforce Power-on Self Test When activated, a failed Power-on Self Test will deactivate the Edge. You can recover the Edge by running factory reset and then reactivate the Edge.
    USB Port Access Select Allow to activate and select Deny to deactivate the USB port access on Edges.

    This option is available only for Edge models 510 and 6x0.

    Note: Whenever the USB port access setting is changed from Allow to Deny or vice-versa, you must reboot the Edge manually if you have access to the Edge and if the Edge is in a remote site, restart the Edge using VeloCloud Orchestrator. For instructions, refer to Remote Actions.
    SNMP Access Allows Edge access from routed interfaces/WAN through SNMP. Select one of the following options:
    • Deny All- By default, SNMP access is deactivated for all devices connected to an Edge.
    • Allow All LAN- Allows SNMP access for all devices connected to the Edge through a LAN network.
    • Allow the following IPs- Allows you to explicitly specify the IP addresses from where you can access the Edge through SNMP. Separate each IPv4 or IPv6 addresses with a comma (,).
    Local Web UI Access Allows Edge access from routed interfaces/WAN through a Local Web UI. Select one of the following options:
    • Deny All- By default, Local Web UI access is deactivated for all devices connected to an Edge.
    • Allow All LAN- Allows Local Web UI access for all devices connected to the Edge through a LAN network.
    • Allow the following IPs- Allows you to explicitly specify the IP addresses from where you can access the Edge through Local Web UI. Separate each IPv4 or IPv6 addresses with a comma (,).
    Local Web UI Port Number Enter the port number of the local Web UI from where you can access the Edge. The default value is 80.
If you want to override the Edge access settings for a specific Edge, use Enable Edge Override option available on the Edge Firewall page.

Configure Stateful Firewall Settings

To configure Stateful Firewall Settings for Profiles, perform the following steps:
  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles > Firewall .
  2. Under Configure Firewall, turn on the Stateful Firewall toggle button and then select the expand icon. By default, the timeout sessions are applied for IPv4 addresses.
    Figure 3. Configure Stateful Firewall Settings
  3. You can configure the following Stateful Firewall settings, and select Save Changes:
    Table 3. Stateful Firewall Settings
    Field Description
    Established TCP Flow Timeout (seconds) Sets the inactivity timeout period (in seconds) for established TCP flows, after which they are no longer valid. The allowable value ranges from 60 seconds through 15999999 seconds. The default value is 7440 seconds.
    Non Established TCP Flow Timeout (seconds) Sets the inactivity timeout period (in seconds) for non-established TCP flows, after which they are no longer valid. The allowable value ranges from 60 seconds through 604800 seconds. The default value is 240 seconds.
    UDP Flow Timeout (seconds) Sets the inactivity timeout period (in seconds) for UDP flows, after which they are no longer valid. The allowable value ranges from 60 seconds through 15999999 seconds. The default value is 300 seconds.
    Other Flow Timeout (seconds) Sets the inactivity timeout period (in seconds) for other flows such as ICMP, after which they are no longer valid. The allowable value ranges from 60 seconds through 15999999 seconds. The default value is 60 seconds.
    Note:

    The configured timeout values apply only when the memory usage is below the soft limit. Soft limit corresponds to anything below 60 percent of the concurrent flows supported by the platform in terms of memory usage.

Configure Network & Flood Protection Settings

VeloCloud SD-WAN provides detection and protection against following types of attacks to combat exploits at all stages of their execution:
  • Denial-of-Service (DoS) attack
  • TCP-based attacks- Invalid TCP Flags, TCP Land, and TCP SYN Fragment
  • ICMP-based attacks- ICMP Ping of Death and ICMP Fragment
  • IP-based attacks- IP Unknown Protocol, IP Options, IPv6 Unknown Protocol, and IPv6 Extension Header.
Table 4. Network & Flood Protection Settings
Attack Type Description
Denial-of-Service (DoS) attack A denial-of-service (DoS) attack is a type of network security attack that overwhelms the targeted device with a tremendous amount of bogus traffic so that the target becomes so preoccupied processing the bogus traffic that legitimate traffic cannot be processed. The target can be a firewall, the network resources to which the firewall controls access, or a specific hardware platform or operating system of an individual host. The DoS attack attempts to exhaust the target device's resources, making the target device unavailable to legitimate users.

There are two general methods of DoS attacks: flooding services or crashing services. Flood attacks occur when the system receives too much traffic for the server to buffer, causing them to slow down and eventually stop. Other DoS attacks simply exploit vulnerabilities that cause the target system or service to crash. In these attacks, input is sent that takes advantage of bugs in the target that subsequently crash or severely destabilize the system.
Invalid TCP Flags Invalid TCP flags attack occurs when a TCP packet has a bad or invalid flag combination. A vulnerable target device will crash due to invalid TCP flag combinations and therefore it is recommended to filter them out. Invalid TCP flags guards against:
  • Packet that has no flags set in its TCP header such as SYN, FIN, ACK, etc,
  • TCP header that has SYN and FIN flags combined, which are mutually exclusive flags in reality
TCP Land A Land attack is a Layer 4 DoS attack in which, a TCP SYN packet is created such that the source IP address and port are set to be the same as the destination IP address and port, which in turn is set to point to an open port on a target device. A vulnerable target device would receive such a message and reply to the destination address effectively sending the packet for reprocessing in an infinite loop. Thus, the device CPU is consumed indefinitely causing the vulnerable target device to crash or freeze.
TCP SYN Fragment The Internet Protocol (IP) encapsulates a Transmission Control Protocol (TCP) SYN segment in the IP packet to initiate a TCP connection and invoke a SYN/ACK segment in response. Because the IP packet is small, there is no legitimate reason for it to be fragmented. A fragmented SYN packet is anomalous, and as such suspect. In a TCP SYN fragment attack, a target server or host is flooded with TCP SYN packet fragments. The host catches the fragments and waits for the remaining packets to arrive so it can reassemble them. By flooding a server or host with connections that cannot be completed, the host's memory buffer overflows and therefore no further legitimate connections are possible, causing damage to the target host's operating system.
ICMP Ping of Death An Internet Control Message Protocol (ICMP) Ping of Death attack involves the attacker sending multiple malformed or malicious pings to a target device. While ping packets are generally small used for checking reachability of network hosts, they could be crafted larger than the maximum size of 65535 bytes by attackers.

When a maliciously large packet is transmitted from the malicious host, the packet gets fragmented in transit and when the target device attempts to reassemble the IP fragments into the complete packet, the total exceeds the maximum size limit. This could overflow memory buffers initially allocated for the packet, causing system crash or freeze or reboot, as they cannot handle such huge packets.
ICMP Fragment An ICMP Fragmentation attack is a common DoS attack which involves the flooding of fraudulent ICMP fragments that cannot be de-fragmented on the target server. As de-fragmentation can only take place when all fragments are received, temporary storage of such fake fragments takes up memory and may exhaust the available memory resources of the vulnerable target server, resulting in server unavailability.
IP Unknown Protocol IP Unknown Protocols refers to any protocol not listed in IANA: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

Enabling IP Unknown Protocol protection blocks IP packets with the protocol field containing a protocol ID number of 143 or greater, as it could lead to crash if not handled properly on the end device. A cautious stance would be to block such IP packets from entering the protected network.
IP Options Attackers sometimes configure IP option fields within an IP packet incorrectly, producing either incomplete or malformed fields. Attackers use these malformed packets to compromise vulnerable hosts on the network. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing a packet containing a specific crafted IP option in the packet's IP header. Enabling IP Insecure Options protection blocks transit IP packets with incorrectly formatted IP option field in the IP packet header.
IPv6 Unknown Protocol Enabling IPv6 Unknown Protocol protection blocks IPv6 packets with the protocol field containing a protocol ID number of 143 or greater, as it could lead to crash if not handled properly on the end device. A cautious stance would be to block such IPv6 packets from entering the protected network.
IPv6 Extension Header IPv6 Extension Header attack is a DoS attack that occurs due to mishandling of extension headers in an IPv6 packet. The mishandling of IPv6 extension headers creates new attack vectors that could lead to DoS, and which can be exploited for different purposes, such as creating covert channels and routing header 0 attacks. Enabling this option would drop IPv6 packet with any extension header except fragmentation headers.
To configure Network and Flood Protection Settings for Profiles, perform the following steps:
  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles > Firewall .
  2. Under Configure Firewall, ensure to turn on the Stateful Firewall feature.
  3. Select the Network & Flood Protection expand icon.
    Figure 4. Configuring Network and Flood Protection Settings
  4. You can configure the following Network and Flood Protection settings, and select Save Changes:
    Note: By default, the network and flood protection settings are applied for IPv4 addresses.
    Table 5. Network & Flood Protection Settings
    Field Description
    New Connection Threshold (connections per second) The maximum number of new connections that is allowed from a single source IP per second. The allowable value ranges from 10 percent through 100 percent. The default value is 25 percent.
    Denylist Select the checkbox to block a source IP address, which is violating the new connection threshold by sending flood traffic either due to misconfiguration of network or malicious user attacks.
    Note: The New Connection Threshold (connections per second) settings will not work unless Denylist is selected.
    Detect Duration (seconds) Before blocking a Source IP address, it is the grace time duration for which the violating source IP is allowed to send traffic flows.

    If a host sends flood traffic of new connection requests (port scan, TCP SYN flood, etc,) exceeding the maximum allowed connection per second (CPS) for this duration, it will be considered as eligible for deny listing instead of immediately deny listing it as soon as it exceeds the CPS per source once. For example, consider that the maximum allowed CPS is 10 with detect duration of 10 seconds, if the host floods new connection requests greater than 100 requests for 10 seconds, then the host will be Denylist.

    The allowable value ranges from 10 seconds through 100 seconds. The default value is 10 seconds.
    Denylist Duration (seconds) The time duration for which the violated source IP is blocked from sending any packets. The allowable value ranges from 10 seconds through 86400 seconds. The default value is 10 seconds.
    TCP Half-Open Threshold Per Destination The maximum number of half-open TCP connections that is allowed per destination. The allowable value ranges from 1 percent through 100 percent.
    TCP Based Attacks Supports protection from the following TCP-based attacks by enabling the respective checkboxes:
    • Invalid TCP Flags
    • TCP Land
    • TCP SYN Fragment
    ICMP Based Attacks Supports protection from the following ICMP-based attacks by enabling the respective checkboxes:
    • ICMP Ping of Death
    • ICMP Fragment
    IP Based Attacks Supports protection from the following IP-based attacks by enabling the respective checkboxes:
    • IP Unknown Protocol
    • IP Options
    • IPv6 Unknown Protocol
    • IPv6 Extension Header

Configure Edge Firewall

By default, all the Edges inherit the Firewall rules, Enhanced Firewall Services (EFS) settings, Stateful Firewall settings, Network and Flood Protection settings, Firewall Logging, Syslog Forwarding, and Edge access configurations from the associated Profile.

Note: For Firewall Logging to Orchestrator to work make sure the SD-WAN Edges are running on version 5.2 and above.
Under the Firewall tab of the Edge Configuration dialog, you can view all the inherited Firewall rules in the Rule From Profile area. Optionally, at the Edge-level, you can also override the inherited Firewall rules and various Firewall settings.
  1. In the SD-WAN service of the Enterprise portal, go to Configure > Edges .
  2. Select an Edge for which you want to override the inherited Firewall settings and click on the Firewall tab.
  3. Select the Override checkbox against the various Firewall settings if you want to modify the inherited Firewall rules and settings for the selected Edge.
    Note: The Edge override rules will take priority over the inherited Profile rules for the Edge. Any Firewall override match value that is the same as any Profile Firewall rule will override that Profile rule.
    Figure 5. Configure Edge Firewall
  4. At the Edge level, you can configure Port Forwarding and 1:1 NAT IPv4 or IPv6 rules individually by navigating to Additional Settings > Inbound ACLs .
    Note: By default, all inbound traffic will be blocked unless the Port Forwarding and 1:1 NAT Firewall Rules are configured. The outside IP will always be that of WAN IP or IP address from WAN IP subnet.
    Note: When configuring IPv6 Port Forwarding and 1:1 NAT rules, you can enter only Global or Unicast IP addresses and cannot enter Link Local Address.

Port Forwarding and 1:1 NAT Firewall Rules

Note: You can configure Port Forwarding and 1:1 NAT rules individually only at the Edge level.

Port Forwarding and 1:1 NAT firewall rules gives Internet clients access to servers connected to an Edge LAN interface. Access can be made available through either Port Forwarding Rules or 1:1 NAT (Network Address Translation) rules.

Port Forwarding Rules

Port forwarding rules allows you to configure rules to redirect traffic from a specific WAN port to a device (LAN IP/ LAN Port) within the local subnet. Optionally, you can also restrict the inbound traffic by an IP or a subnet. Port forwarding rules can be configured with the Outside IP which is on the same subnet of the WAN IP. It can also translate outside IP addresses in different subnets than the WAN interface address if the ISP routes traffic for the subnet towards the SD-WAN Edge.

The following figure illustrates the port forwarding configuration.

Figure 6. Port Forwarding Configuration

In the Port Forwarding Rules section, you can configure port forwarding rules with IPv4 or IPv6 address by clicking the +Add button and then entering the following details.

Figure 7. Configuring Port Forwarding Rules
  1. In the Name text box, enter a name (optional) for the rule.
  2. From the Protocol drop-down menu, select either TCP or UDP as the protocol for port forwarding.
  3. From the Interface drop-down menu, select the interface for the inbound traffic.
  4. In the Outside IP text box, enter the IPv4 or IPv6 address using which the host (application) can be accessed from the outside network.
  5. In the WAN Ports text box, enter a WAN port or a range of ports separated with a dash (-), for example 20-25.
  6. In the LAN IP and LAN Port text boxes, enter the IPv4 or IPv6 address and port number of the LAN, where the request will be forwarded.
  7. From the Segment drop-down menu, select a segment the LAN IP will belong to.
  8. In the Remote IP/subnet text box, specify an IP address of an inbound traffic that you want to be forwarded to an internal server. If you do not specify any IP address, then it will allow any traffic.
  9. Select the Log check box to activate logging for this rule.
  10. Select Save Changes.

1:1 NAT Settings

These are used to map an Outside IP address supported by the SD-WAN Edge to a server connected to an Edge LAN interface (for example, a web server or a mail server). It can also translate outside IP addresses in different subnets than the WAN interface address if the ISP routes traffic for the subnet towards the SD-WAN Edge. Each mapping is between one IP address outside the firewall for a specific WAN interface and one LAN IP address inside the firewall. Within each mapping, you can specify which ports will be forwarded to the inside IP address. The '+' icon on the right can be used to add additional 1:1 NAT settings.

The following figure illustrates the 1:1 NAT configuration.

Figure 8. 1:1 NAT Configuration

In the 1:1 NAT Rules section, you can configure 1:1 NAT rules with IPv4 address or IPv6 address by clicking the +Add button and then entering the following details.

Figure 9. Configuring 1:1 NAT Rule
  1. In the Name text box, enter a name for the rule.
  2. In the Outside IP text box, enter the IPv4 or IPv6 address with which the host can be accessed from an outside network.
  3. From the Interface drop-down menu, select the WAN interface where the Outside IP address will be bound.
  4. In the Inside (LAN) IP text box, enter the actual IPv4 or IPv6 (LAN) address of the host.
  5. From the Segment drop-down menu, select a segment the LAN IP will belong to.
  6. Select the Outbound Traffic check box, if you want to allow traffic from LAN Client to Internet being NATed to Outside IP address.
  7. Enter the Allowed Traffic Source (Protocol, Ports, Remote IP/Subnet) details for mapping in the respective fields.
  8. Select the Log check box to activate logging for this rule.
  9. Select Save Changes.

Configure Firewall Rule

You can configure Firewall rules at the Profile and Edge levels to allow, drop, reject, or skip inbound and outbound traffic. If stateful firewall feature is activated, the firewall rule will be validated to filter both inbound and outbound traffic. With stateless firewall, you can control to filter only outbound traffic. The firewall rule matches parameters such as IP addresses, ports, VLAN IDs, Interfaces, MAC addresses, domain names, protocols, object groups, applications, and DSCP tags. When a data packet matches the match conditions, the associated action or actions are taken. If a packet matches no parameters, then a default action is taken on the packet.

To configure a firewall rule at the Profile level, perform the following steps.

  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles . The Profiles page displays the existing Profiles.
  2. Select a Profile to configure a firewall rule, and select the Firewall tab.

    From the Profiles page, you can navigate to the Firewall page directly by selecting the View link in the Firewall column of the Profile.

  3. Go to the Configure Firewall section and under Firewall Rules area, select + NEW RULE. The Configure Rule dialog box appears.
    Figure 10. Configure Firewall Rule
  4. In the Rule Name text box, enter a unique name for the Rule. To create a firewall rule from an existing rule, select the rule to be duplicated from the Duplicate Rule drop-down menu.
  5. In the Match section, configure the match conditions for the rule:
    Table 6. Firewall Rule Match Field Descriptions
    Field Description
    IP Version By default, IPv4 and IPv6 address type is selected. You can configure the Source and Destination IP addresses according to the selected Address Type, as follows:
    • IPv4 – Allows to configure only IPv4 addresses as Source and Destination.
    • IPv6 – Allows to configure only IPv6 addresses as Source and Destination.
    • IPv4 and IPv6 – Allows to configure both IPv4 and IPv6 addresses in the matching criteria. If you choose this mode, you cannot configure Source or Destination IP address.
    Note: When you upgrade, the firewall rules from previous versions are moved to IPv4 mode.
    Source Allows to specify the source for packets. Select any of the following options:
    • Any- Allows all source addresses by default.
    • Object Group- Allows you to select a combination of address group and service group. For additional information, see Object Groups and Configure Firewall Rule with Object Group.
      Note: If the selected address group contains any domain names, then they would be ignored when matching for the source.
      Define- Allows you to define the source traffic to a specific VLAN, Interface, IPv4 or IPv6 Address, MAC Address, or Transport Port. Select one of the following options:
      • VLAN- Matches traffic from the specified VLAN, selected from the drop-down menu.
        Note: When using a VLAN to match source or destination traffic in a firewall policy, it takes into account both local and remote VLANs.
      • Interface and IP Address- Matches traffic from the specified interface and IPv4 or IPv6 address, selected from the drop-down menu.
        Note: If an interface cannot be selected, then the interface is either not activated or not assigned to this segment.
        Note: If you select IPv4 and IPv6 (Mixed mode) as the Address Type, then the traffic is matched based on only the specified interface.
        Along with the IP address, you can specify one of the following address types to match the source traffic:
        • CIDR prefix- Choose this option if you want the network defined as a CIDR value (for example: 172.10.0.0 /16).
        • Subnet mask- Choose this option if you want the network defined based on a Subnet mask (for example, 172.10.0.0 255.255.0.0).
        • Wildcard mask- Choose this option if you want the ability to narrow the enforcement of a policy to a set of devices across different IP subnets that share a matching host IP address value. The Wildcard mask matches an IP, or a set of IP addresses based on the inverted Subnet mask. A '0' within the binary value of the mask means the value is fixed and a '1' within the binary value of the mask means the value is wild (can be 1 or 0). For example, a Wildcard mask of 0.0.0.255 (binary equivalent = 00000000.00000000.00000000.11111111) with an IP Address of 172.0.0, the first three octets are fixed values, and the last octet is a variable value. This option is available only for IPv4 address.
      • Mac Address- Matches traffic based on the specified MAC address.
      • Transport Port- Matches traffic from the specified source port or port range.
    Destination Allows to specify the destination for packets. Select any of the following options:
    • Any- Allows all destination addresses by default.
    • Object Group- Allows you to select a combination of address group and service group. For additional information, see Object Groups and Configure Firewall Rule with Object Group.
    • Define- Allows you to define the destination traffic to a specific VLAN, Interface, IPv4 or IPv6 Address, Domain Name, Protocol, or Port. Select one of the following options:
      • VLAN- Matches traffic from the specified VLAN, selected from the drop-down menu.
        Note: When using a VLAN to match source or destination traffic in a firewall policy, it takes into account both local and remote VLANs.
      • Interface- Matches traffic from the specified interface, selected from the drop-down menu.
        Note: If an interface cannot be selected, then the interface is either not activated or not assigned to this segment.
      • IP Address- Matches traffic for the specified IPv4 or IPv6 address and Domain name.
        Note: If you select IPv4 and IPv6 (Mixed mode) as the Address Type, then you cannot specify IP address as the destination.

        Along with the IP address, you can specify one of the following address types to match the source traffic: CIDR prefix, Subnet mask, or Wildcard mask.

        Use the Domain Name field to match the entire domain name or a portion of the domain name. For example, \"salesforce\" will match traffic to \" mixe\".

      • Transport- Matches traffic from the specified source port or port range.
        Protocol- Matches traffic for the specified protocol, selected from the drop-down menu. The supported protocols are GRE, ICMP, TCP, and UDP.
        Note: ICMP is not supported in Mixed mode (IPv4 and IPv6).
    Application Select any of the following options:
    • Any- Applies the firewall rule to any application by default.
    • Define- Allows to select an application and Differentiated Services Code Point (DSCP) flag to apply a specific firewall rule
    Note: When creating firewall rules matching an application, the firewall depends on the DPI (Deep Packet Inspection) Engine to identify the application to which a particular flow belongs. Generally, the DPI will not be able to determine the application based on the first packet. The DPI Engine usually needs the first 5-10 packets in the flow to identify the application, but the firewall needs to classify and forward the flow from the very first packet. This may cause the first flow to match a more generalized rule in the firewall list. Once the application has been correctly identified, any future flows matching the same tuples will be reclassified automatically and hit the correct rule.
  6. In the Action section, configure the actions to be performed when the traffic matches the defined criteria.
    Table 7. Firewall Rule Action Field Descriptions
    Field Description
    Firewall Select any of the following action the firewall should perform on packets, when the conditions of the rule are met:
    • Allow- Allows the data packets by default.
    • Drop- Drops the data packets silently without sending any notification to the source.
    • Reject- Drops the packets and notifies the source by sending an explicit reset message.
    • Skip- Skips the rule during lookups and processes the next rule. However, this rule will be used at the time of deploying SD-WAN.
      Note: You will be able to configure the Reject and Skip actions only if the Stateful Firewall feature is activated for Profiles and Edges.
    Log Select this check box if you want a log entry to be created when this rule is triggered.
  7. Select the IDS/IPS check box and activate either IDS or IPS toggle to create the Firewall. When user activates only IPS, IDS will be automatically activated. EFS engine inspects traffic sent/received through the Edges and matches content against signatures configured in the EFS engine. IDS/IPS Signatures are updated on a continuous basis with a valid EFS license. For additional information about EFS, see Enhanced Firewall Services Overview.
    Note: EFS can be activated in the rule only if the Firewall action is Allow. If the Firewall action is anything other than Allow, EFS will be deactivated.
    • Intrusion Detection System- When IDS is activated on Edges, the Edges detect if the traffic flow is malicious or not based on certain signatures configured in the engine. If attack is detected, the EFS engine generates an alert and sends the alert message to VeloCloud Orchestrator/Syslog Server if Firewall logging is activated in Orchestrator, and will not drop any packets.
    • Intrusion Prevention System- When IPS is activated on Edges, the Edges detect if the traffic flow is malicious or not based on certain signatures configured in the engine. If attack is detected, the EFS engine generates an alert and blocks the traffic flow to the client only if the signature rule has action as "Reject", matched by the malicious traffic. If the action in the signature rule is "Alert", the traffic will be allowed without dropping any packets even if you configure IPS.
    Note: Arista recommends customer to not activate VNF when IDS/IPS is activated on Edges.
  8. To send the EFS logs to Orchestrator, turn on the Capture EFS Log toggle button.
    Note: For an Edge to send the Firewall logs to Orchestrator, ensure that the “Enable Firewall Logging to Orchestrator” customer capability is activated at the Customer level under “Global Settings” UI page. Customers must contact your Operator if you would want the Firewall Logging feature to be activated.
  9. While creating or updating a Firewall rule, you can add comments about the rule in the New Comment field in the Comment History tab. A maximum of 50 characters is allowed and you can add any number of comments for the same rule.
  10. After configuring all the required settings, select Create.

    A firewall rule is created for the selected Profile, and it appears under the Firewall Rules area of the Profile Firewall page.

    Note: The rules created at the Profile level cannot be updated at the Edge level. To override the rule, user needs to create the same rule at the Edge level with new parameters to override the Profile level rule.

Enhanced Firewall Services

This section provides details about how to configure and monitor Enhanced Firewall Services (EFS).

Enhanced Firewall Services Overview

Enhanced Firewall Services (EFS) provide additional EFS security functionalities on VeloCloud SD-WAN Edges. The Security powered EFS functionality supports URL Category filtering, URL Reputation filtering, Malicious IP filtering, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) services on VeloCloud SD-WAN Edges. The Edge Enhanced Firewall Services (EFS) protect Edge traffic from intrusions across Branch-to-Branch, Branch-to-Hub, or Branch-to-Internet traffic patterns.

Currently, SD-WAN Edge Firewall provides stateful inspection along with application identification without additional EFS security features. While the stateful Firewall SD-WAN Edge provides security, it is not adequate and creates a gap in providing EFS security integrated natively with VeloCloud SD-WAN. Edge EFS addresses these security gaps and offers enhanced threat protection natively on the SD-WAN Edge in conjunction with VeloCloud SD-WAN.

Customers can configure and manage the EFS features using the Firewall functionality in VeloCloud Orchestrator. Customers can configure Firewall Rules to block web traffic based on IDS/IPS Signature matching, category, and/or reputation of the URL or IP.
Note: If a customer is running a virtual edge in Azure and EFS is configured, ensure to configure the Azure scanner to exclude the Suricata signature file from scanning to avoid malware detection on VeloCloud SD-WAN Edges.

Limitations

When EFS is activated and IDS/IPS is configured, if you use the dynamic addressing with the address range outside the private address range in the case of IPv4 and the ULA address range in the case of IPv6 described in RFC1918, rule matching might not happen due to the address not being part of HOME_NETWORK setting in suricata.yaml.

Configure Enhanced Firewall Services

For the EFS feature to work:
  • Ensure the Edge version is upgraded to 5.2.0.0.
  • Ensure the EFS feature is activated at the Enterprise level. Contact your Operator if you would want the EFS feature to be activated. An Operator can activate the EFS feature from the SD-WAN > Global Settings > Customer Configuration > SD-WAN Settings > Feature Access UI page.

Customers can configure and manage the Enhanced Firewall Services (EFS) using the Firewall functionality in VeloCloud Orchestrator.

To configure EFS rule settings at the Profile level, perform the following steps:

  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles . The Profiles page displays the existing Profiles.
  2. To configure a Profile Firewall, select the link to the Profile and then select the Firewall tab. Alternatively, you can also select the View link in the Firewall column of the Profile. The Firewall page appears.
    Figure 11. Configure EFS Rule Settings at the Profile Level
  3. Turn ON the Enhanced Firewall Services toggle button to activate the EFS feature for all Edges associated with the Profile. By default, this feature is not activated.
  4. Under Firewall Rules, you can create a new EFS rule or modify an existing firewall rule for EFS settings.
    • To create a new EFS rule:
      1. Select the + New Rule button. The Create Rule page appears.
        Figure 12. Create EFS Rule
      2. In the Rule Name text box, enter a unique name for the Rule. To create a firewall rule from an existing rule, select the rule to be duplicated from the Duplicate Rule drop-down menu.
      3. Configure the Match conditions and Firewall Actions to be performed when the traffic matches the defined match criteria. For additional information, see Configure Firewall Rule.
      4. Select the IDS/IPS check box and activate either IDS or IPS toggle to create the Firewall. When user activates only IPS, IDS will be automatically activated. EFS engine inspects traffic sent/received through the Edges and matches content against signatures configured in the EFS engine.
        Note: EFS can be activated in the rule only if the Firewall action is Allow. If the Firewall action is anything other than Allow, EFS will be deactivated.
        • Intrusion Detection System- When IDS is activated on Edges, the Edges detect if the traffic flow is malicious or not based on certain signatures configured in the engine. If attack is detected, the EFS engine generates an alert and sends the alert message to VeloCloud Orchestrator/Syslog Server if Firewall logging is activated in Orchestrator, and will not drop any packets.
        • Intrusion Prevention System- When IPS is activated on Edges, the Edges detect if the traffic flow is malicious or not based on certain signatures configured in the engine. If attack is detected, the EFS engine generates an alert and blocks the traffic flow to the client only if the signature rule has action as "Reject", matched by the malicious traffic. If the action in the signature rule is "Alert", the traffic will be allowed without dropping any packets even if you configure IPS.
        Note: Arista VeloCloud recommends customer to not activate VNF when IDS/IPS is activated on Edges.
      5. To send the EFS logs to Orchestrator, turn on the Capture EFS Log toggle button.
        Note: For an Edge to send the Firewall logs to Orchestrator, ensure that the “Enable Firewall Logging to Orchestrator” customer capability is activated at the Customer level under “Global Settings” UI page. Customers must contact your Operator if you would want the Firewall Logging feature to be activated.
      6. Select Create.
    • To modify an existing firewall rule for EFS settings:
      1. Under the Firewall Rules area of the Profile Firewall page, select the link under the Rule name column of an existing firewall to be modified.
      2. Modify the IDS/IPS settings and select Edit.
        Figure 13. Edit EFS Rule
  5. Select Save Changes.
You can override the EFS rule settings inherited from a Profile at the Edge level. To override EFS settings for an Edge, perform the following steps:
  1. In the SD-WAN service of the Enterprise portal, go to Configure > Edges . The Edges page displays the existing Edges.
  2. To configure an Edge, select the link to the Edge or select the View link in the Firewall column of the Edge.
  3. Select the Firewall tab.
    Figure 14. Configure EFS Rule Settings at the Edge Level
  4. To override the inherited EFS settings for a specific Edge, select the Override check box and turn on the toggle button next to the Enhanced Firewall Services UI label.
  5. Under Firewall Rules area of the Edge Firewall page, you can create a new EFS rule or override the inherited EFS rule settings for the Edge. Follow the procedure as described in the Step 5 of the Configure EFS Rule Settings at the Profile Level section.
  6. After you have overridden the EFS rule settings, select Save Changes.
Note: Firewall rules of the existing Edges that are not upgraded to the 5.2.0 release will not have any impact when you activate the EFS service at the global setting level or per rule level with IDS/IPS.

Monitor Enhanced Firewall Services Threats

You can monitor Enhanced Firewall Services (EFS) Threats based on the metrics collected using the EFS Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) for a specific Edge or an Enterprise.

Note: The monitoring pages related to EFS will only be visible if the EFS feature is activated in Global Settings.

Monitor EFS- Edge View

To view the EFS Threats details for a specific Edge:
  1. In the SD-WAN service of the Enterprise portal, select Monitor > Edges . The list of Edges associated with the Enterprise appears.
  2. Select an Edge by selecting the link to an Edge. The Network Overview page (default page view) appears.
  3. Select the Security Overview tab.
    The Security Overview page appears. In addition, you can select the time frame for the overview page by 12 hours, 24 hours, and so on.
    Figure 15. Monitor EFS- Edge View
    The Security Overview page is a graphical representation of cumulative data of the following EFS Threats details, based on the metrics collected using the EFS (IDS/IPS) for the selected Edge.
    • Total count of Threats Detected
    • Total count of Threats Prevented
    • Top Threats Detected filtered "By Count" (Default) or "By Impact"
    • Top Threat Origins filtered By "IP Address" (Default) or "By Country"
    • Top Impacted Clients filtered By "IP Address" (Default) or "By Country"
    • Histogram Trend of Threats for selected time frame.

    Under each graphical representation, selecting the View Details link displays detailed EFS information for the selected Edge, based on the selected metric type.

Monitor EFS- Enterprise View

To view the EFS Threats details for an Enterprise, select Monitor > Security Overview .

The Security Overview page is a graphical representation of Threat distribution based on the metrics collected using the EFS (IDS/IPS) for all Edges within an Enterprise. You can view the Threat distribution of all the Edges using the following two views:
  • Impacted Edge Distribution – Represents a map view of all the EFS Impacted Edges (by severity) and Protected Edges. The page graphically displays the following EFS Threats details for an Enterprise:
    • Total count of Edges Impacted
    • Total count of Edges Protected
    • Top Threats Detected filtered "By Count" (Default) or "By Impact"
    • Top Threat Origins filtered By "IP Address" (Default) or "By Country"
    • Top Impacted Edges filtered By "IP Edge Name" (Default) or "IP Address"
    • Top Impacted Clients filtered By "IP Address" (Default) or "By Country"
  • Impacted Edge List – Represents a tabular view of all the EFS impacted Edges along with Threat details. The page displays the following details: Name and Description of the impacted Edge, Name of the Profile to which the impacted Edge is associated with, Threat Type, Threat Impact on Edge, and Status of impacted Edge.

Enhanced Firewall Services Alerts and Events

Describes details about Enhanced Firewall Services (EFS) related Enterprise and Operator Orchestrator events.

Enterprise-level EFS Events

Table 8. Enterprise-level EFS Events List
EVENT DISPLAYED ON ORCHESTRATOR UI AS SEVERITY GENERATED BY GENERATED WHEN RELEASE ADDED IN DEPRECATED
MGD_ATPUP_INVALID _IDPS_SIGNATURE Invalid IDPS Signature ERROR Edge (MGD) Generated when there is an invalid suricata package. 5.2.0  
MGD_ATPUP_DOWNLOAD _IDPS_SIGNATURE _FAILED Download IDPS Signature failed ERROR Edge (MGD) Generated when downloading of suricata package fails. 5.2.0  
MGD_ATPUP_DECRYPT _IDPS_SIGNATURE _FAILED Decrypt IDPS Signature failed ERROR Edge (MGD) Generated when unpacking of suricata package fails. 5.2.0  
MGD_ATPUP_APPLY _IDPS_SIGNATURE _FAILED Failed to apply IDPS Signature ERROR Edge (MGD) Generated due to error in applying Suricata files. 5.2.0  
MGD_ATPUP_APPLY _IDPS_SIGNATURE _SUCCEEDED Successfully applied IDPS Signature INFO Edge (MGD) Generated when suricata files are successfully applied. 5.2.0  
MGD_ATPUP _STANDBY_UPDATE _START Standby device IDPS Signature update started INFO Edge (MGD) Generated when HA Standby update with new EFS IDPS Signature version is started. 5.2.0  
MGD_ATPUP _STANDBY_UPDATE _FAILED Standby device IDPS Signature update failed ERROR Edge (MGD) Generated when HA Standby update with new EFS IDP Signature version fails. 5.2.0  
MGD_ATPUP _STANDBY_UPDATED Standby device IDPS Signature update completed INFO Edge (MGD) Generated when HA Standby update with new EFS IDPS Signature version is successfully applied. 5.2.0  

Operator-level EFS Events

Table 9. Operator-level EFS Events List
EVENT DISPLAYED ON ORCHESTRATOR UI AS SEVERITY GENERATED BY GENERATED WHEN RELE ASE ADDED IN DEPRE _CATED
IDPS_SIGNATURE _VCO_VERSION _CHECK_FAIL Querying existing signature version from local DB failed ERROR Orchestrator Generated when Orchestrator backend poll job has failed to retrieve existing suricata signature version from Orchestrator's local database. 5.2.0  
IDPS_SIGNATURE _GSM_VERSION _CHECK_FAIL Querying signature metadata from GSM failed ERROR Orchestrator Generated when Orchestrator backend poll job has failed to retrieve existing suricata signature metadata (that includes signature version) from GSM. 5.2.0  
IDPS_SIGNATURE _SKIP_DOWNLOAD _NO_UPDATE Skipping signature download due to no change in signature version INFO Orchestrator Generated when Orchestrator backend poll job skips downloading suricata signature file due to no change in suricata signature file version. 5.2.0  
IDPS_SIGNATURE _STORE_FAILURE _NO_PATH Filestore path not set to store signature file ERROR Orchestrator Generated when Orchestrator backend poll job fails to store suricata signature file due to filestore path not being set. 5.2.0  
IDPS_SIGNATURE _DOWNLOAD _SUCCESS Successfully downloaded signature file from GSM INFO Orchestrator Generated when Orchestrator backend poll job successfully downloads suricata signature file from GSM. 5.2.0  
IDPS_SIGNATURE _DOWNLOAD _FAILURE Failed to download signature file from GSM ERROR Orchestrator Generated when Orchestrator backend poll job fails to download suricata signature file from GSM. 5.2.0  
IDPS_SIGNATURE _STORE _SUCCESS Successfully stored the signature file in filestore INFO Orchestrator Generated when Orchestrator backend poll job successfully stores the suricata signature file in local file store. 5.2.0  
IDPS_SIGNATURE _STORE_SIGNATURE _FAILURE Failed to store the signature file in filestore ERROR Orchestrator Generated when Orchestrator backend poll job fails to store the suricata signature file in local file store. 5.2.0  
IDPS_SIGNATURE _METADATA_INSERT _SUCCESS Successfully added metadata of the signature file to local DB INFO Orchestrator Generated when Orchestrator backend poll job successfully adds metadata of the suricata signature file to local DB. 5.2.0  
IDPS_SIGNATURE _METADATA_INSERT _FAILURE Failure to add metadata of the signature file to local DB ERROR Orchestrator Generated when Orchestrator backend poll job fails to add metadata of the suricata signature file to local DB. 5.2.0  

Monitor Firewall Logs

The Firewall Logs page displays the details of firewall log originating from VeloCloud SD-WAN Edges. By default, Edges cannot send their Firewalls logs to Orchestrator. For an Edge to send the Firewall logs to Orchestrator, ensure that the Enable Firewall Logging to Orchestrator customer capability is activated at the Customer level under the Global Settings UI page. Customers must contact their Operator if they want to activate the Firewall Logging feature. By default, Orchestrator retains the Firewall logs until it reaches the maximum retention time of 7 days or maximum log size of 15 GB on a rotation basis.

To view the Edge Firewall logs in Orchestrator:
  1. In the SD-WAN service of the Enterprise portal, navigate to Monitor > Firewall Logs . The Firewall Logs page appears.
    Figure 16. Monitor Firewall Logs

    The page displays the following Edge Firewall Log details: Time, Segment, Edge, Action, Interface, Protocol, Source IP, Source Port, Destination IP, Destination Port, Extension Headers, Rule, Reason, Bytes Received, Bytes Sent, Duration, Application, Destination Domain, Destination Name, Session ID, Signature, IPS Alert, IDS Alert, Signature ID, Category, Attack Source, Attack Target, and Severity.

    Note: Not all fields will be populated for all firewall logs. For example, Reason, Bytes Received/Sent and Duration are fields included in logs when sessions are closed. Signature, IPS Alert, IDS Alert, Signature ID, Category, Attack Source, Attach Target, and Severity are populated only for Enhanced Firewall Services (EFS) alerts, not for firewall logs.
    Firewall Logs are generated:
    • When a flow is created (on the condition that the flow is accepted)
    • When the flow is closed
    • When a new flow is denied
    • When an existing flow is updated (due to a firewall configuration change)
    EFS Alerts are generated:
    • Whenever the flow traffic matches any suricata signatures configured in the EFS engine.
    • If firewall rule has only Intrusion Detection System (IDS) activated, the Edges detect if the traffic flow is malicious or not based on certain signatures configured in the engine. If attack is detected, the EFS engine generates an alert and sends the alert message to VeloCloud Orchestrator/Syslog Server if Firewall logging is activated in Orchestrator, and will not drop any packets.
    • If firewall rule has Intrusion Prevention System (IPS) activated, the Edges detect if the traffic flow is malicious or not based on certain signatures configured in the engine. If attack is detected, the EFS engine generates an alert and blocks the traffic flow to the client only if the signature rule has action as "Reject", matched by the malicious traffic. If the action in the signature rule is "Alert", the traffic will be allowed without dropping any packets even if you configure IPS.
  2. You can use the Filter options and select a filter from the drop-down menu to query the Firewall logs.
  3. Select the CSV option to download a report of the Edge Firewall Logs in CSV format.

Troubleshooting Firewall

You can collect the firewall diagnostic logs by running the remote diagnostic tests on an Edge.

For Edges running Release 3.4.0 or later which also have Stateful Firewall activated, you can use the following remote diagnostic tests to obtain firewall diagnostic information:
  • Flush Firewall Sessions- Run this test on the required Edge by providing the Source and Destination IP addresses to flush the active firewalls session which needs to be reset. This is specifically for the Stateful Firewall. Running this test on an Edge not only flushes the firewall sessions, but actively send a TCP RST for the TCP-based sessions.
  • List Active Firewall Sessions- Run this test to view the current state of the active firewall sessions (up to a maximum of 1000 sessions). You can filter by Source and Destination IP and Port as well as Segment to limit the number of sessions returned.
    Figure 17. List Active Firewall Sessions
    Note: You cannot see sessions that were denied as they are not active sessions. To troubleshoot those sessions, you will need to check the firewall logs.

For additional information about how and when to run these remote diagnostics on an Edge, see VeloCloud SD-WAN Troubleshooting guide available at Arista VeloCloud SD-WAN Troubleshooting Guide.

..