Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Managing firewall rules by server as a tenant administrator

The following procedures explain how to manage firewall rules for servers for your organization:

Note

To manage firewall rules, a server must be provisioned to a network container with one firewall and the network container must not be part of the shared network infrastructure.  If the network container is part of the shared network infrastructure, meaning the network container is a resource shared by other cloud customers, you cannot modify firewall rules for the server provisioned to that network container.

To add a firewall rule

  1. From the Service Instances pane of the BMC My Cloud Services Console, double-click a service instance to display its server or servers.
  2. Select a server and click the Manage Firewall Rules icon FWicon.gif.
     The Manage Firewalls dialog is displayed.

You add a firewall rule for a perimeter firewall from the Firewall tab, while you add rules for distributed firewalls from the Distributed Firewall tab, as described in the following sections.

Adding a rule for a perimeter firewall

  1. To create a new rule, click the Add Firewall Rule icon plusicon.jpg. The Add Firewall Rule dialog box is displayed. 

    Tip

    For information about how BMC Network Automation evaluates firewall rules, see Sorting-rules-for-firewalls.

  2. Select or enter values for the following options:
    • Status - Indicates the status of the firewall rule. Selecting the option enables the firewall rule; clearing the checkbox disables it.
    • Allow Traffic - Select the checkbox to permit traffic.
    • Description - Enter a description for the rule.
    • Log - Click this field to enable logging.
    • Transport Protocol - Choose the required protocol, for example, TCP, UDP, and so on.
    • Application Protocol - Select an application protocol or enter a single port number or port range (for example, 4000-4005) in the Port Range field.
    • Source- Select one of the following for the source address:
      • Host Address - Enter the host address.
      • Network Address and Network Mask - Enter the network address and mask. If the network is attached to an interface (inside or outside), do not specify the host address or network address/mask as a source or a destination in a firewall rule for the outbound or inbound access control list (ACL).
    • Destination - Select one of the following for the following for the destination address:
      • Host Address - Enter the host address.

      • Network Address and Network Mask - Enter the network address and mask. 
        When configuring a virtual machine that uses Network Address Translation (NAT), you should apply the same firewall rule to the inbound ACL of the outside interface as you would to the outbound ACL of the inside interface. The destination must be the NAT address.

        Note

        For Amazon Web Services, the Destination endpoint field is a fixed interface, as shown below:

        Destination_endpoint.gif

  3. Click Save. The Create Firewall Rules dialog box closes, and the Manage Firewalls dialog box remains open. You can add or change more firewall rules from the Manage Firewalls dialog box.
  4. Click Save on the Manage Firewalls dialog box to save all of your firewall rule changes. A confirmation dialog box asks for confirmation: All changes made to the firewall rules will be saved. Do you want to continue?
  5. Click Yes to save your changes or click No to return to the Firewall Rules dialog box.

Adding a rule for a distributed firewall

To create a new rule for a distributed firewall, select the Distributed Firewalls tab.

  1. Click the Add Firewall Rule icon. The Add Firewall Rule dialog box is displayed.

    Tip

    For information about how BMC Network Automation evaluates firewall rules, see Sorting-rules-for-firewalls.

  2. Select or enter values for the following options:
    • Status - Indicates the status of the firewall rule. Selecting the option enables the firewall rule; clearing the checkbox disables it.
    • Allow Traffic - Select the checkbox to permit traffic.
    • Description - Enter a description for the rule.
    • Log - Click this field to enable logging.
    • Transport Protocol - Choose the required protocol, for example, TCP, UDP, and so on.
    • Application Protocol - Select an application protocol or enter a single port number or port range (for example, 4000-4005) in the Port Range field.
    • Source- Select one of the following for the source address:
      • Host Address - Enter the host address.
      • Network Address and Network Mask - Enter the network address and mask. If the network is attached to an interface (inside or outside), do not specify the host address or network address/mask as a source or a destination in a firewall rule for the outbound or inbound access control list (ACL).
    • Destination- Select one of the following for the following for the destination address:
      • Host Address - Enter the host address.

      • Network Address and Network Mask - Enter the network address and mask.
        When configuring a virtual machine that uses Network Address Translation (NAT), you should apply the same firewall rule to the inbound ACL of the outside interface as you would to the outbound ACL of the inside interface. The destination must be the NAT address.

        Note

        For Amazon Web Services, the Destination endpoint field is a fixed interface, as shown below:

        Destination_endpoint.gif

  3. Click Save. The Create Firewall Rules dialog box closes, and the Manage Firewalls dialog box remains open. You can add or change more firewall rules from the Manage Firewalls dialog box.
  4. Click Save on the Manage Firewalls dialog box to save all of your firewall rule changes. A confirmation dialog box appears stating, All changes made to the firewall rules will be saved. Do you want to continue?
  5. Click Yes to save your changes or click No to return to the Firewall Rules dialog box.

To edit a firewall rule

  1. From the Service Instances pane of My Cloud Services Console, double-click a service instance to display its server or servers.

  2. Select a server and click the Manage Firewall Rules icon FWicon.gif.
    The Manage Firewalls dialog appears.

    1. On the Manage firewall rules panel,select the firewall to edit from the drop-down list.
    2. Select a rule.
    3. Click the Edit a Firewall icon to display the Edit Firewall Rule dialog box.
    4. Make your updates and Save them.

To delete a firewall rule

  1. From the Service Instances pane of My Cloud Services Console, double-click a service instance to display its server or servers.
  2. Select a server and click the Manage Firewall Rules icon FWicon.gif.
    The Manage Firewalls dialog appears.
  1. On the Manage firewall rules panel, select the firewall to edit from the drop-down list.
  2. Select a rule.
  3. Click the Delete a Firewall icon to display the prompt.
  4. Complete the actions.

Notes

Note the following restrictions pertaining to deleting firewall rules:

  • Firewall rules locked by the Cloud Administrator cannot be deleted by a user with only Cloud End user or Cloud Tenant Administrator permissions.
  • Firewall rules created automatically as a result of network path creation cannot be modified or deleted.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*